third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

7.2.4 Consequences of vulnerabilities in software The NCSC uses a standard list of damage descriptions to categorise the impact of a vulnerability being abused. Every security advisories is linked to one or more of these standard descriptions, which then produces an image of the most important damage caused by vulnerabilities. Table 9 shows the damage connected to the NCSC security advisories issued during the period of this CSAN. [189] The most severe damage associated with the majority of the security advisories was performing a DoS attack. This was followed by executing arbitrary code with restricted rights and access to sensitive data. 7.2.5 Vulnerabilities in browsers and CMSs The previous Cyber Security Assessment concluded that a large proportion of all the vulnerabilities registered were found in web browsers. During this reporting period too, many popular web browsers (Google Chrome, Mozilla Firefox and Apple Safari) appeared in the top 10 because of vulnerabilities. Two popular web browsers add-ons (Oracle Java and Adobe Flash Player) also feature in the top 10 again. Looking at the total number of vulnerabilities in popular web browsers in recent years, there has been a continual increase in vulnerabilities since 2008 (Figure 8). [190] One possible explanation is Google Chrome: a good proportion of the new vulnerabilities are in of a website. The previous Cyber Security Assessment concluded that Damage Percentage 1 Denial-of-Service (DoS) 45,7% 2 Arbitrary code execution (with users’ rights) 39,1% 3 Access to sensitive data 19,7% 4 Security bypass 17,1% 5 Privilege escalation 14,4% 6 Access to system data 10,1% 7 Authentication bypass 5,8% 8 Arbitrary code execution (with administration rights) 4,8% 9 Spoofing 3,5% 10 Data manipulation 3,4% Table 9. Descriptions of damage with respect to NCSC security advisories 700 History of new vulnerabilities in browsers 2005-2012 600 500 400 300 200 100 0 2005 2006 2007 2008 2009 2010 2011 2012 g Safari g Firefox g Chrome g Internet Explorer g Opera Figure 8. Development in vulnerabilities in browsers 189 Since a security recommendation can be linked to multiple descriptions of damage, the total descriptions in Table 9 add up to more than 100%. 190 The number of vulnerabilities of course indicates nothing about the nature of these vulnerabilities. 191 PHP is one of the most common programming languages for websites. 192 http://ddos.arbornetworks.com/2012/12/ lessons-learned-from-the-u-s-financial-services-ddos-attacks/ many CMS installations (28 per cent) are not equipped with the latest updates. At the end of 2012 the bRobot malware abused vulnerabilities in this type software of software to place a rogue PHP script [191] on vulnerable servers. The script enables DDoS attacks to be carried out, the main target of which were financial institutionsin the United States. [192] The history of vulnerabilities in popular CMSs reveals a huge increase in vulnerabilities in the past year compared with the previous two years. In 2010 and 2011 there were 22 and 23 CVE IDs for these products respectively. In 2012 this number was 86 (Ý 374 per cent compared with 2011). However it 82
Detailed section » 7 Vulnerability of IT should be noted that the vulnerabilities are frequently found in add-ons (plug-ins) from third parties and not particularly in the core of the CMS itself. 7.2.6 State of affairs of websites in the.nl-domain Just as in the previous Cyber Security Assessment, websites in the .nl-domain were again analysed this time. The websites fall into three different domains: government general, government local authorities and Alexa top 1,000 (top 1,000 of most visited . nl-domains, www.alexa.com) It is however dangerous to draw conclusions about the vulnerabilities present purely and simply on the basis of the version numbers. For example Linux distributions offer plug-in CMS packages that are based on an older version of the CMS, but which in some cases encompass security fixes from later versions (backported security fix). Assuming a very positive scenario (the versions provided by the distributions are up-to-date) the percentage of systems that are not up-to-date will be around 10 per cent. This means that these websites are highly vulnerable. » 100 History of new vulnerabilities in CMSs 2005-2012 90 80 70 60 50 40 30 20 10 0 2005 2006 2007 2008 2009 2010 2011 2012 g Wordpress g Joomla g Drupal g Typo3 g DotNetNuke g SPIP g Movable Type Figure 9. Development in CMS-based vulnerabilities CMS versions Just as in 2012, research was carried out for this Cyber Security Assessment into the common versions of popular CMS software. A total of 290 installations from Joomla, Drupal, Wordpress and Typo3 were researched. In general it emerged that 38.6 per cent of all installations are fully up-to-date and are using the latest available version of the CMS. A total of 16.2 per cent are running a version behind and 45.2 per cent of all installations have a version that is at least two security updates behind or is no longer supported by the CMS supplier. SSL configurations The research identified a total of 1,107 systems that can be reached by SSL. To assess to what extent the SSL systems in question are securely configured, there were tested with respect to four relevant recommendations from the ‘SSL/TLS Deployment Best Practices Guide’. [193] Table 10 indicates how many systems have a vulnerable configuration. 193 https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf 83
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31:
get the script kiddies started. One
Page 32 and 33:
location’, there is no one single
Page 34 and 35: Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 83: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?