third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

6.2.3. IT takeover In an IT takeover, the actor gains control of the target’s IT systems with the aim of using resources. This abuse often escapes the user’s attention because the malicious attacker benefits from the resources continuing to be accessible. The takeover of IT can be an aim in itself. The intention behind it for hacktivists is often vengeance, blackmail or sabotage. Script kiddies and cyber vandals can takeover IT to highlight vulnerabilities or they do it for fun. Cyber criminals use takeover as a means of direct financial gain or they use it for other attacks. IT can be taken over in a number of ways, both automatically and manually. A system can be compromised by malware, which allows malicious attackers to take it over; it is therefore a means of, for example, theft or manipulation of information, bitcoin mining, sending spam or phishing e-mails and hosting information. Systems are also taken over to be included in a botnet. Criminals target websites that attract high visitor numbers so that they can spread malware (see box ‘Malware on legitimate websites: Telegraaf.nl example’). Advertising platforms are a regular target because the frequently visited website spreads malware through the platform. There is also a takeover where devices are abused as a means of attack. For example media reports suggest that telecommunications equipment from a Chinese manufacturer may contain backdoors. As a result, the networks that use them are said to be vulnerable. [118] Finally, it is conceivable that process control systems, ICS in particular, are being taken over by malicious attackers. Since small-scale process control systems in particular are insufficiently secured, takeover of such systems can be relatively easy. Cyber researchers regularly demonstrate that such systems in the Netherlands are vulnerable. Although there has been no evidence in the Netherlands of takeover of such systems with malicious intent, the vulnerability of these systems means that there is a real risk of takeover. The risk of van IT takeover is expected to increase because for malicious attackers it is a proven and successful tool, particularly in the form of botnets. The takeover of citizens’ IT by cyber criminals is classified as ‘high’ because they use this as a step towards stealing information and manipulating financial transactions. 118 ‘US accuses telecoms giants Huawei and ZTE of corruption’, NRC Handelsblad, 9-10-2012. 119 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/ WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html Malware on legitimate websites: Telegraaf.nl example On Thursday 6 September 2012, malicious software was spread briefly through the telegraaf.nl website that then attacked the PCs of visitors to this website. The aim of these attacks was to infect these PCs with malicious software. Visitors with vulnerable versions of Adobe and Java software installed on their PCs became infected with banking malware and ransomware. [119] 6.3 IT failure IT failure damages the availability of IT and therefore forms a threat. Failure can occur due to natural and technical events or due to human error. As hurricane Sandy combined with flooding in the United States in October 2012 demonstrated, natural events can result in large-scale IT failure over a long period. Failure of (one of the parts of ) IT can also occur due to technical events and/or human error, with consequences for an organisation’s processes. Despite careful and professional management of software and hardware and despite focusing attention on preventive measures, incidents and disruptions cannot be completely avoided. Incidents can also be expected to occur as a result of the increasing complexity of systems and increasingly intensive use. Furthermore, an attack on a third party or failure at a third party on which an organisation is dependent has major consequences for the company’s own business operations (an example of chain interests). Outsourcing of tasks entails vulnerabilities if the third party is attacked or has to combat failure, both in terms of the vulnerability of suppliers and customers and in connection with the danger of potential back doors in hardware. The consequences of an attack on or a failure at a third party can extend far beyond the directly hit organisation. As a result, a whole sector or even a country can be affected. For example Cloudflare customers also suffered a DDoS attack as a consequence of the DDoS attack on Spamhaus, a customer of Cloudflare. This is because Cloudflare supplies (among other things) services that secure websites against (D)DoS attacks. Because organisations are increasingly implementing measures to prevent IT failure, the threat is classified as ‘low’. 6.4 Incidents dealt with by NCSC The NCSC supports governments and organisations in vital sectors in dealing with incidents in the area of IT security. In this role, incidents are reported to the NCSC and the NCSC also identifies incidents and vulnerabilities itself, on the basis of detection for example. Furthermore, the NCSC acts at the request of international parties, in particular internet service providers, to provide support in combating cyber incidents abroad that have originated in the Netherlands (for example from a web server or from infected PCs in the Netherlands). The NCSC does this under the title ‘International requests for assistance’. 48
Core assessment » 6 Manifestations » »»»»» Incidents Incidents dealt with by NCSC (10Q4-13Q1) > 120 100 80 60 40 20 0 Quarter > 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 12Q2 12Q3 12Q4 13Q1 g Incidents at governments g Incidents at private organisations g International requests for assistance The number of incidents dealt with by NCSC showed no significant increase or decrease in the previous quarter. Following a sharp increase in the second quarter of 2012 (Þ 27 incidents compared with the first quarter) the number of incidents increased in the remaining quarters of 2012 to then fall again in the first quarter of 2013. The number of incidents reported by or in relation to the government during the reporting period of this CSAN remained relatively stable: between 42 and 48 incidents per quarter. The fluctuation in incidents is thus primarily caused by incidents relating to the private sector (28 to 42 per quarter) and the number of international requests for assistance (3 to 14 per quarter). With respect to incidents, the NCSC differentiates between threats, attacks and vulnerabilities. Looking at the government incidents, it is clear that attacks make up approximately 75 per cent of the incidents. Of the remaining threats, there is a decrease in the proportion of threats (from 17 to 5 per cent) and an increase in the proportion of vulnerabilities (from 14 to 20 per cent). Decrease in number of security incidents with SURFcert SURFcert is seeing a decrease of approximately 16 per cent in the number of recorded incidents in connected educational institutions compared with 2011. This cannot be attributed to any specific cause, but SURFcert is seeing that the institutions are able to respond increasingly appropriately and are applying more preventive measures. Media attention on this type of incident plays a role but so does knowledge exchange, for example through the SURFnet Community of Incident Response Teams (SCIRT). There has been an increase in DDoS attacks on connected institutions, primarily RoC schools, and occasionally also secondary schools and universities. 6.5 Conclusion Table 4 provides an overview of the threat posed by the various actors in attacking the targets of ‘governments’, ‘private organisations’ and ‘citizens’. Key causes behind the level of threats are the growing dependence on IT and the progressive innovation of tools that enable actors to become more capable, including relatively powerful tools that are giving even less competent actors the opportunity to carry out a successful cyber attack. States are able to develop and deploy advanced tools, while the cyber criminals continue to develop particularly the existing tools. Cyber crime is becoming increasingly professional in offering services for hiring tools for cyber attacks and siphoning off money (‘cybercrime-as-a-service’). Old wellknown weaknesses continue to be a means of abuse for cyber criminals. This applies equally to hacktivists, who trust primarily in 49
Page 1: Cyber Security Assessment Netherlan
Page 4 and 5: National Cyber Security Centre The
Page 7: Contents Foreword 3 Summary 7 Intro
Page 10 and 11: on governmental organisations and b
Page 12 and 13: However, it is assumed that they ar
Page 15 and 16: Introduction Information Technology
Page 17: Core assessment 1 Interests 17 2 Th
Page 20 and 21: 1.2 Dependency IT dependency contin
Page 22 and 23: Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 47 and 48: Core assessment » 6 Manifestations
Page 49: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101:
9.6 The resilience of ICS Security
Page 102 and 103:
100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105:
102
Page 106 and 107:
Incidents Types of government incid
Page 108 and 109:
Classification Classified data Clou
Page 110 and 111:
Information Information security In
Page 112 and 113:
Spoofing/IP spoofing SQL injection
Page 114:
112
show all

third Cyber Security Assessment Netherlands - NCSC

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?