third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

An attacker can abuse devices linked to the internet in a number of ways: »» Direct abuse of processing capacity, connectivity and bandwidth: an attacker can takeover systems and then make them part of a botnet. Botnets such as these can be used for lots of dishonest purposes. »» Abuse as a stepping stone: from a system he has taken over, an attacker can crawl and attack other systems. »» Steal (confidential) personal or business data: an attacker can steal sensitive data that is stored on the system (e-mail, documents, databases). »» Profiling of personal behaviour: an attacker can collate details of a user’s behaviour from the device (location details, websites visited, purchases made). Abuse of this information is of interest for targeted attacks. »» Detecting and stealing personal identity: an attacker pretends to be someone else (spoofing) and uses this to his benefit. An attacker can also find out a user’s identity under a pseudonym and abuse this (doxing). »» Stealing credentials for access to services: an attacker can capture the user’s identification details (account name, password, access code, cryptographic key) and use these to access the user’s services (web services, e-mail, cloud services, internet shops, banks) and send messaged or complete transactions. »» Denial of service, sabotage: an attacker can sabotage the device and cause harm. Direct abuse Stepping Stone Data theft Profiling Identity theft Credentials theft Denial of Service Consumer computer devices Practice Practice Practice Practice a Practice Practice Practice Consumer network devices Practice b Practice Practice Theory PoC Practice Practice Mobile consumer devices Theory Practice PoC / Practice c Practice Practice Theory Practice - Fixed consumer devices Theory Theory - PoC d - - Theory Fixed technical and business devices PoC e Practice Theory - - Practice PoC Mobile technical devices - - - PoC f - - PoC Table 6. Matrix of abuse potential per category of device a) Consumer computer devices such as laptops and PCs generally do not have a location sensor. However the user can be profiled using cookies, the IP address and by using location software such as Google Maps. b) Consumer routers require attention with respect to security. This was the warning the Consumers’ Association gave to its members at the beginning of this year, alerting them to easily cracked router passwords. [146] c) Previously refuted rumours of a botnet on mobile devices were later confirmed by the BBC. [147] There was further speculation from McAfee Labs [22: McAfee 2013-2] concerning a Near Field Communication (NFC) worm. d) In part following on from alleged large-scale electricity metre fraud, the European network security organisation ENISA issued a [9: ENISA 2012] report in May 2012 on the security of electricity networks. e) As far back as 2010, Barnaby Jack demonstrated at the Black Hat security conference that cash machines were vulnerable to abuse. Abusing technical vulnerabilities would allow large amounts of money to be obtained. [148] f) During the RSA security conference in 2012 in San Francisco, a security investigator demonstrated that a wireless insulin pump could be abuse remotely to administer a lethal dose of insulin. [149] 146 Consumentenbond, Actueel, (3 January 2013), http://www.consumentenbond.nl/actueel/ nieuws/nieuwsoverzicht-2013/Half-miljoen-wifi-routers-lek/ 147 BBC news, China mobile users warned about large botnet threat, (15 January 2013), http://www.bbc.co.uk/news/technology-21026667 148 Wired Threat Level,(July 2010), Researcher Demonstrates ATM ‘Jackpotting’ at Black Hat Conference, http://www.wired.com/threatlevel/2010/07/atms-jackpotted/ en IT SECURITY BLOG, (Augustus 2012), Exploiting ATMs: a quick overview of recent hacks, http://security. blogoverflow.com/2012/08/exploiting-atms-a-quick-overview-of-recent-hacks/ 149 Bloomberg Tech Blog, (29 February 2012), Hacker Shows Off Lethal Attack By Controlling Wireless Medical Device. 72
Detailed section » 5 Hyperconnectivity 5.4 State of affairs To determine how current a threat is, a distinction is made between the following types of abuse: »» Theory: security investigators have raised the possibility and it is deemed to be credible. »» Proof of Concept: attacks have been demonstrated by security investigators. Where encountered in practice, these attacks are only occasional and the damage is very small. »» Practice: attacks do happen in practice and more than occasional damage is reported. Simple tools make it easy to carry out attacks. Table 6 indicates the status of potential abuse per category of device. The footnotes show notable examples reported in the media in the previous period. The risks associated with the latest types of network device appear to be limited. The attacks identified to date often take place under particular circumstances. For example malware from the botnet described earlier (note c) appears to have used applications that were installed from an unofficial application store. 5.5 The merits of IPv6 The introduction of IPv6 will result in a shift of risks in the word of hyper-connective devices. IPv6 was developed in part to tackle limitations in the earlier IPv4 addressing standard. The bigger address space and clearer network segmentation was supposed to result in a network that was easier to maintain. In practice it seems that IPv6 differs from IPv4 such that introducing IPv6 without having any in-depth knowledge results in security risks. Often purchased devices are automatically configured or pre-configured for IPv6. If a device is connected with IPv6, it can be reached by the internet. The first DDoS attacks by IPv6 were reported in 2012. [150] The IPv6 protocol is now virtually standard for today’s frequently used mobile operating systems. [151] Currently, the manufacturer and/ or the application developer still determines to what extent the new protocol is used on the device. 5.6 Evidence of increased risk There is an increased risk associated with the constantly increasing number of devices and associated internet connections. In general manufacturers – often for financial reasons – have no need to secure devices and to remedy any vulnerabilities. Furthermore, vulnerabilities can often not simply be eliminated. There are often large numbers of vulnerable devices in circulation that when in use, are virtually always connected to the network. While the harm caused if a fridge or coffee maker is hijacked initially appears to be minor, a device hijacked in a botnet can cause much damage. A survey [152] into vulnerable devices that could be reached through the internet shows how these can be charted. By placing programme code on the vulnerable devices to look for other vulnerable devices, the search time can be reduced exponentially. This means that the impact of a vulnerability can be highlighted in a significantly shorter time. 5.7 Causes Large numbers of vulnerable devices can be found on the internet. The causes of this are largely the limited options for updates and poor maintenance of these devices. These same causes are apparent among various stakeholders. Financial factors affecting suppliers also play a role. Because of the commercial pressure to bring new versions out quickly and not provide support for older versions, security errors are never resolved. Maintenance and updates come at a relatively high cost, with low revenue. Suppliers want to offer the lowest price and sometimes therefore economise on security. Suppliers of technical equipment (telephone equipment, transmitter installations and medical equipment) are keen to manage their own equipment and often prohibit other people from installing updates as a result of which the equipment is sometimes unnecessarily vulnerable. Because of the increased desire to connect, devices that were not originally designed to be connected to the internet (such as industrial control systems) are now connected because of the ease and efficiency this can be done with, even though the design has taken no account of security. Devices regularly have network functions with unclear security risks that are difficult for consumers to configure. There is a lack of knowledge and awareness of security among developers. IT education and publications about internet platforms generally devote the most attention to functionality and too little to security. Where there is focus on security, it is all about securing the functionality and not about the technical security aspects. [153] The same functional software modules are often used for developing equipment. In practice it appears that the versions of these software modules that are used are often outdated and not secure. [154] Many users, certainly of consumer products, have little awareness of security problems, do not understand that updates are needed and often do not know how to install updates, certainly in the case of firmware updates. « 150 Steven J. Vaughan-Nichols, First IPv6 Distributed Denial of Service Internet attacks seen, ZDnet, (20 February, 2012) .http://www.zdnet.com/blog/networking/ first-ipv6-distributed-denial-of-service-internet-attacks-seen/2039 151 Wikipedia, Comparison of IPv6 support in operating systems, (http://en.wikipedia.org/wiki/ Comparison_of_IPv6_support_in_operating_systems). 152 http://internetcensus2012.bitbucket.org/paper.html 153 Andy Balinsky, Cisco Blog, <strong>Security</strong> Features vs. Securing Features, (December 2012), http://blogs.cisco.com/security/security-features-vs-securing-features/ 154 Rapid7, <strong>Security</strong> Flaws in Universal Plug and Play, Unplug, Don’t play, RSA Conference 2013. 73 »
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25: on the internet such as an electric
Page 26 and 27: approached or incited by states for
Page 28 and 29: Actor Intentions Skills Targets Sta
Page 30 and 31: get the script kiddies started. One
Page 32 and 33: location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?