third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Vulnerability Number of systems Pct “SSL v2 is insecure and must not be used” “Anonymous Diffie-Hellman (ADH) suites do not provide authentication” “NULL cipher suites provide no encryption” “Suites with weak ciphers (typically of 40 and 56 bits) use encryption that can easily be broken” Table 10. SSL configurations 1 (40 bits) 212 (56 bits) 266 (40+56 bits) 194 17,5% 20 1,8% 1 0,1% 43,3% What primarily appears to be a major problem is that many SSL systems still support 40 or 56 bits keys to create an encrypted connection with the client. While this may not happen often in practice (because the system also supports longer key lengths), the best practice is to make such weak connections impossible by changing the configuration. It should be noted at this point that only systems offering SSL were reviewed. There are many more sites offering connections that are not secured with SSL. Defacements During the period of this Cyber Security Assessment, there were just under 50,000 defacements of websites in the .nl domain. [194] In a defacement, the attacker places one of his own pages on a web server, for example to spread a message or to highlight that a web server has a vulnerability. Given that attackers often record such defacements – and possibly the details – on ZoneH, this site provides valuable information about these defacements and the attacks behind them. Unfortunately website defacements seem to be the order of the day: on average there are around 4,000 defacements to be found on the .nl domain in ZoneH. This average hides some extremes: for example in January 2012 there were more than 16,000 defacements, but just 434 in August 2012. In a few cases, ‘mass defacements’ occurred, where a large number of websites were attacked all at once through the same vulnerability at one provider. For example in April 2012, there was an attack on a single IP address on which 2,789 websites were configured. Other points that came out from the registration of defacements are: »» The biggest vulnerability that was abused to compromise websites was file inclusion (36 per cent), followed by an attack on the administrator’s log-in details (8.7 per cent) and SQL injection (3.2 per cent). In a good 43 per cent of cases there was no record of the cause. »» The vast majority of defacements were against Linux systems: in a good 61 per cent of the cases, a website used this operating system. In 30 per cent of the cases, the operating system was not known. Much further down from Linux come Microsoft Windows (2.5 per cent) and FreeBSD (2.1 per cent) as platforms used. »» The biggest reasons for carrying out a defacement are for fun (41 per cent) and to be the best defacer (34 per cent). In only 1 per cent of cases did defacement take place because of political considerations. In 20 per cent of the defacements, the attacker gave no reason. Number of registered defacements of .nl websites 2012Q2 - 2013Q1 20000 15000 10000 5000 0 apr '12 may '12 jun '12 jul '12 aug '12 sep '12 oct '12 nov '12 dec '12 jan '13 feb '13 mar '13 Figure 10. Defacements within the .nl domain (source: ZoneH) 194 Source: reports on ZoneH for the .nl-domain. 84
Detailed section » 7 Vulnerability of IT »» Almost one third of the defacements (32 per cent) took place on a Saturday. »» Around one quarter of the defacements (27 per cent) were carried out by the same hacker or group of hackers (‘T0r3x’). IPv6 and DNSSEC As part of the investigation into the characteristics of websites, the support from DNSSEC and IPv6 in the aforementioned categories was also reviewed. This yielded the following findings: Around 12 per cent of the almost 2,000 domains investigated were supported by DNSSEC. This support is present primarily in the largest 1,000 domains according to Alexa.com (17 per cent) and much lower in the government and local authorities (both 7 per cent). Support for IPv6 seem to be behind on the DNSSEC support: for approximately 3 per cent of all domains, there is an IPv6 address linked to the ‘www host’ for that domain. Here too, the Alexa top 1,000 appears to be ahead of the government: 4.5 per cent compared with 2.4 per cent for the government and 0.6 per cent for local governments. The average is consistent with the picture of IBM, for example, which in June 2012 established that 3 per cent of all internet sites have an IPv6 address. 7.3 Tools used In this chapter, two type of tool are examined in more depth to the core assessment, these being exploits and malware. Botnets as a tool are dealt with as a separate detailed section. 7.3.1 Exploits Exploits appear regularly on the internet, providing a simple way of abusing known and unknown vulnerabilities. An analysis of the exploits carried out provides insight into the development of these exploits over the years. Exploit-db.com is a website that collates exploits and makes them available to everyone. Looking at the exploits published since 2005, there is a sharp decrease in publicly available exploits from the third quarter of 2010. IBM also reported a decrease in public exploits following a peak in 2010. [15: IBM 2012] IBM cites changes made to software that make it harder to exploit vulnerabilities as one of the main causes. Another possible cause is that new (as yet unknown) vulnerabilities are now being sold commercially. Exploits primarily target web platforms and Microsoft Windows. PHP is a particularly popular platform for attack; many open source PHP applications and plug-ins for CMS applications such as Wordpress are among the PHP exploits (see Figure 11). » 200 Exploits per platform 2012Q2 - 2013Q1 150 100 50 0 2012Q2 2012Q3 2012Q4 2013Q1 UNIX BSD Web Windows Other Hardware Linux Multiple Apple OS/X Figure 11. Exploits per platform 85
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31:
get the script kiddies started. One
Page 32 and 33:
location’, there is no one single
Page 34 and 35:
Furthermore, business information c
Page 36 and 37: environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 85: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?