third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
7.2.4 Consequences of vulnerabilities in software<br />
The <strong>NCSC</strong> uses a standard list of damage descriptions to categorise<br />
the impact of a vulnerability being abused. Every security advisories<br />
is linked to one or more of these standard descriptions, which then<br />
produces an image of the most important damage caused by<br />
vulnerabilities. Table 9 shows the damage connected to the <strong>NCSC</strong><br />
security advisories issued during the period of this CSAN. [189] The<br />
most severe damage associated with the majority of the security<br />
advisories was performing a DoS attack. This was followed by<br />
executing arbitrary code with restricted rights and access to<br />
sensitive data.<br />
7.2.5 Vulnerabilities in browsers and CMSs<br />
The previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> concluded that a large<br />
proportion of all the vulnerabilities registered were found in web<br />
browsers. During this reporting period too, many popular web<br />
browsers (Google Chrome, Mozilla Firefox and Apple Safari)<br />
appeared in the top 10 because of vulnerabilities. Two popular web<br />
browsers add-ons (Oracle Java and Adobe Flash Player) also feature<br />
in the top 10 again.<br />
Looking at the total number of vulnerabilities in popular web<br />
browsers in recent years, there has been a continual increase in<br />
vulnerabilities since 2008 (Figure 8). [190] One possible explanation is<br />
Google Chrome: a good proportion of the new vulnerabilities are in<br />
of a website. The previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong> concluded that<br />
Damage<br />
Percentage<br />
1 Denial-of-Service (DoS) 45,7%<br />
2 Arbitrary code execution (with users’ rights) 39,1%<br />
3 Access to sensitive data 19,7%<br />
4 <strong>Security</strong> bypass 17,1%<br />
5 Privilege escalation 14,4%<br />
6 Access to system data 10,1%<br />
7 Authentication bypass 5,8%<br />
8<br />
Arbitrary code execution<br />
(with administration rights)<br />
4,8%<br />
9 Spoofing 3,5%<br />
10 Data manipulation 3,4%<br />
Table 9. Descriptions of damage with respect to <strong>NCSC</strong> security advisories<br />
700<br />
History of new vulnerabilities in browsers 2005-2012<br />
600<br />
500<br />
400<br />
300<br />
200<br />
100<br />
0<br />
2005 2006 2007 2008 2009 2010 2011 2012<br />
g Safari g Firefox g Chrome g Internet Explorer g Opera<br />
Figure 8. Development in vulnerabilities in browsers<br />
189 Since a security recommendation can be linked to multiple descriptions of damage, the total<br />
descriptions in Table 9 add up to more than 100%.<br />
190 The number of vulnerabilities of course indicates nothing about the nature of these<br />
vulnerabilities.<br />
191 PHP is one of the most common programming languages for websites.<br />
192 http://ddos.arbornetworks.com/2012/12/<br />
lessons-learned-from-the-u-s-financial-services-ddos-attacks/<br />
many CMS installations (28 per cent) are not equipped with the<br />
latest updates. At the end of 2012 the bRobot malware abused<br />
vulnerabilities in this type software of software to place a rogue PHP<br />
script [191] on vulnerable servers. The script enables DDoS attacks to<br />
be carried out, the main target of which were financial institutionsin<br />
the United States. [192] The history of vulnerabilities in popular<br />
CMSs reveals a huge increase in vulnerabilities in the past year<br />
compared with the previous two years. In 2010 and 2011 there were<br />
22 and 23 CVE IDs for these products respectively. In 2012 this<br />
number was 86 (Ý 374 per cent compared with 2011). However it<br />
82