third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detailed section » 7 Vulnerability of IT<br />
should be noted that the vulnerabilities are frequently found<br />
in add-ons (plug-ins) from <strong>third</strong> parties and not particularly in the<br />
core of the CMS itself.<br />
7.2.6 State of affairs of websites in the.nl-domain<br />
Just as in the previous <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>, websites in the<br />
.nl-domain were again analysed this time. The websites fall into<br />
three different domains: government general, government local<br />
authorities and Alexa top 1,000 (top 1,000 of most visited .<br />
nl-domains, www.alexa.com)<br />
It is however dangerous to draw conclusions about the vulnerabilities<br />
present purely and simply on the basis of the version numbers.<br />
For example Linux distributions offer plug-in CMS packages that are<br />
based on an older version of the CMS, but which in some cases<br />
encompass security fixes from later versions (backported security<br />
fix). Assuming a very positive scenario (the versions provided by the<br />
distributions are up-to-date) the percentage of systems that are not<br />
up-to-date will be around 10 per cent. This means that these<br />
websites are highly vulnerable.<br />
»<br />
100<br />
History of new vulnerabilities in CMSs 2005-2012<br />
90<br />
80<br />
70<br />
60<br />
50<br />
40<br />
30<br />
20<br />
10<br />
0<br />
2005 2006 2007 2008 2009 2010 2011 2012<br />
g Wordpress g Joomla g Drupal g Typo3 g DotNetNuke g SPIP g Movable Type<br />
Figure 9. Development in CMS-based vulnerabilities<br />
CMS versions<br />
Just as in 2012, research was carried out for this <strong>Cyber</strong> <strong>Security</strong><br />
<strong>Assessment</strong> into the common versions of popular CMS software.<br />
A total of 290 installations from Joomla, Drupal, Wordpress and<br />
Typo3 were researched. In general it emerged that 38.6 per cent of<br />
all installations are fully up-to-date and are using the latest available<br />
version of the CMS. A total of 16.2 per cent are running a version<br />
behind and 45.2 per cent of all installations have a version that is at<br />
least two security updates behind or is no longer supported by the<br />
CMS supplier.<br />
SSL configurations<br />
The research identified a total of 1,107 systems that can be reached<br />
by SSL. To assess to what extent the SSL systems in question are<br />
securely configured, there were tested with respect to four relevant<br />
recommendations from the ‘SSL/TLS Deployment Best Practices<br />
Guide’. [193] Table 10 indicates how many systems have a vulnerable<br />
configuration.<br />
193 https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf<br />
83