third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Table 3 provides a summary of the different main types of threat together with the most important actors and their objectives. The paragraphs below detail the main types of threat, indicate which manifestations are apparent and show the level of the threat. All of this is finally summarised in the conclusion. 6.1 Attack targeted at information We are constantly producing, collating, sharing and processing increasing volumes of information with one another. No one wants their financial details or personal or business information to fall into the wrong hands or be manipulated. However cyber attacks pose a threat that can harm the confidentiality and/or integrity of this information. This paragraph differentiates between two types of threat targeted at information: a) theft of information with possible publication or sale of information and b) manipulation of information. 6.1.1 Theft of information Theft information (possibly for publication and sale) concerns stealing confidential or valuable information. Actors may keep information for themselves and take personal advantage of it, but they may also publish or sell it. Information cannot be stolen in a legal sense – the terms is lifting of the exclusivity since the information is not removed. Information regarding financial transactions and identity are the most common targets of theft Research carried out by Verizon [106] reveals that it is predominantly information regarding financial transactions and identities that is stolen. Verizon states that criminals prefer information regarding financial transactions and personal information that can easily be converted into cash. Corporate espionage focuses on trade secrets, an organisation’s internal information and system information. Hacktivists target personal information and organisations’ internal information. Finally, identities are desirable information to all of these actors. Digital espionage The most apparent form of information theft is digital espionage (primarily) by states. For states, the motivation behind the theft of information is political, military or economic gain through digital espionage. [107] The extent to which and the structural way in which digital espionage is used poses a major threat to national security and the economy. Throughout this reporting period, various public and private organisations in the Netherlands have been a victim of this. This threat is therefore classified as ‘high’. 106 Verizon Data Breach Investigations Report 2013. 107 See cyber espionage section. 108 http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf 109 See for example http://hackmageddon.com en http://csis.org/publication/cyber-events-2006 for additional overviews of cyber espionage. Digital espionage aimed at citizens targets specific individuals (often dissidents) who are being tracked by states. Although the origin of digital espionage can rarely be established conclusively, there are various indications of state involvement. The General Intelligence and Security Service (AIVD) has detected espionage activities originating from China, Russia, Iran and Syria. See the detailed sections on Cyber Espionage for more information. There was an increase in the number of cases of digital espionage discovered last year. The actors behind these attacks dedicate substantial amounts of money and time to these attacks. The target is selected deliberately and the attack is targeted until the aim is achieved. This type of attack is also known as an APT. Advanced Persistent Threat (APT) An Advanced Persistent Threat is the threat ensuing from a targeted ‘long-term’ cyber attack, primarily on knowledgeable countries and organisations by states and criminal organisations. The General Intelligence and Security Service (AIVD) is investigating APTs. In these cases, the attacker persistently tries to penetrate a company and to secretly be present in the IT infrastructure. During the APT attack, the attacker will primarily collate ‘confidential’ information and/or prepare for disrupting the functioning of vital components. The majority of these attacks are simple in nature and succeed primarily because of the lack of adequate detection and security measures in organisations. In particular, the Mandiant report on what became known as their ‘APT1’ espionage attack received much publicity. [108] See the factsheet ‘Persistence pays off (APT)’ from the NCSC and the General Intelligence and Security Service (AIVD) for [35: NCSC 2013-2] more information. The summary on page 45 gives an indication of the scope and diversity of digital (espionage) attacks. [109] The information comes from open sources and is expressly not an exhaustive summary. Given certain similar features, some campaigns may describe the same attack. The data stated refers to the first publication in open sources and therefore not the ‘start date’ of the attack. In some cases, this is months or even years earlier. Theft of information for financial gain Criminals steal information to cause harm to others or to put others under pressure (blackmail). The information acquired (for example user names and passwords) can also serve as a tool for manipulation or information. Theft of information often originates from malware-infected computers that may possibly form part of a botnet. The computers in a botnet send the captured information to a central computer. In December 2012, the NCSC received information from the investiga- 44
Core assessment » 6 Manifestations » »»»»» Flame: Targets primarily Iran and Middle East. Industry in North and South America victim of MEDRE. MS-updater: aerospace industry a target. Shamoon targets organisations in the Middle East. Kaspersky highlights Gauss (affiliated to Flame and Duqu). Ababil DDoS campaign targets financial institutions in the United States (repeated in January and March 2013). Teamspy: East European government bodies, companies and human rights organisations have been spied on for ten years. Apr 2012 May 2012 Jun 2012 Jul 2012 Aug 2012 Sep 2012 Oct 2012 Nov 2012 Dec 2012 Jan 2013 Feb 2013 Mar 2013 Government institutions, the electro-technical and the telecommunications industry are the target of (Chinese) APT MEHDI spear phishing attack reveals traces of Farsi in the coding. The VOHO Campaign: more than 900 organisations worldwide are victims. Mirage is focused on defence and energy sector. PLUGX: probably Chinese RAT affects specific users in Japan, China, and Taiwan. Elderwood: attack uses four zero days. Red October appears to have focused on scientific and government bodies in more than 300 countries. APT1: Worldwide attack by (allegedly) Chinese actors (also known as SHADY RAT, COMMENT CREW, etc.). Discovery of MiniDuke, a strongly modified backdoor. tive companies Digital Investigation and SurfRight regarding the Pobelka botnet, which was based on data from a ‘command & control’ (C&C) server. Research from various parties reveals how diverse the captured information is, and how sensitive this information is in certain cases. See the detailed section on botnets for more information. Criminals use the information they capture, such as log-in or credit card details, for different attacks or sell them for direct financial gain. There are numerous underground websites selling stolen information, including credit card details, email addresses and other personal details. Pobelka botnet collates information Pobelka is a botnet, which, just like Dorifel, uses the Citadel distribution platform. The primary aim of Citadel botnets is to manipulate financial transactions. All other data that is collected can be seen as collateral damage. The data captured are personal identification details, company information, information about the computer and vulnerabilities in the software used by the organisation or individual concerned. Parts of this data are often used in bulk, and sometimes sold on for large amounts. Personal identification details are also used for identity fraud or to mislead people, for example with social engineering. Theft and publication of information for activist purposes The other actors (hacktivists, cyber vandals, internal actors) publish stolen data to highlight vulnerabilities, promote their own image or cause harm to others. One example is the publication of obtained business and personal data. Once it is ‘stolen’, information can easily be used in many ways. The website ‘pastebin.com’ is a frequently used resource because information can be placed on it anonymously. Individuals with malicious intent often use it to publish files containing a company’s customer user names and passwords, generally with an activist motivation. Actors can gain access to information, for example by breaking in to a website or database. One example of this is the Groene Hart zieken huis, a hospital that was caused embarrassment because a hacker was able to view patients’ medical files. Another medical institution break-in relates to Diagnostiek voor U, which became known because of the Henk Krol case. Digital break-ins can also happen for ideological reasons: in January 2013, a group of hackers claimed the digital break-in at an archive centre belonging to the French Ministry of Defence and [110] also carried out break-ins in Asia [111] . The threat of theft of information by criminals is classified as ‘high’ because they steal information for financial gain from governments, private organisations and citizens. 110 ‘XTNR3VOLT Claims Hacking Of French Ministry Of Defense Website’, Site monitoring service, 15-1-2013. 111 Examples: http://www.zdnet.com/ph/hackers-take-sabah-conflict-to-cyberspace-7000012061/, http://www.ehackingnews.com/2012/06/50-pakistani-sites-hacked-by-silent.html 45
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45: Core assessment » 6 Manifestations
Page 49 and 50: Core assessment » 6 Manifestations
Page 51 and 52: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97:
In 2012, ACM received a total of 14
Page 98 and 99:
car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?