third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Vulnerability Number of systems Pct<br />
“SSL v2 is insecure and must<br />
not be used”<br />
“Anonymous Diffie-Hellman<br />
(ADH) suites do not provide<br />
authentication”<br />
“NULL cipher suites provide no<br />
encryption”<br />
“Suites with weak ciphers<br />
(typically of 40 and 56 bits)<br />
use encryption that can easily<br />
be broken”<br />
Table 10. SSL configurations<br />
1 (40 bits)<br />
212 (56 bits)<br />
266 (40+56 bits)<br />
194 17,5%<br />
20 1,8%<br />
1 0,1%<br />
43,3%<br />
What primarily appears to be a major problem is that many SSL<br />
systems still support 40 or 56 bits keys to create an encrypted<br />
connection with the client. While this may not happen often in<br />
practice (because the system also supports longer key lengths), the<br />
best practice is to make such weak connections impossible by<br />
changing the configuration. It should be noted at this point that<br />
only systems offering SSL were reviewed. There are many more sites<br />
offering connections that are not secured with SSL.<br />
Defacements<br />
During the period of this <strong>Cyber</strong> <strong>Security</strong> <strong>Assessment</strong>, there were<br />
just under 50,000 defacements of websites in the .nl domain. [194]<br />
In a defacement, the attacker places one of his own pages on a web<br />
server, for example to spread a message or to highlight that a web<br />
server has a vulnerability. Given that attackers often record such<br />
defacements – and possibly the details – on ZoneH, this site<br />
provides valuable information about these defacements and the<br />
attacks behind them.<br />
Unfortunately website defacements seem to be the order of the day:<br />
on average there are around 4,000 defacements to be found on the<br />
.nl domain in ZoneH. This average hides some extremes: for<br />
example in January 2012 there were more than 16,000 defacements,<br />
but just 434 in August 2012. In a few cases, ‘mass defacements’<br />
occurred, where a large number of websites were attacked all at<br />
once through the same vulnerability at one provider.<br />
For example in April 2012, there was an attack on a single IP address<br />
on which 2,789 websites were configured.<br />
Other points that came out from the registration of defacements are:<br />
»»<br />
The biggest vulnerability that was abused to compromise<br />
websites was file inclusion (36 per cent), followed by an attack on<br />
the administrator’s log-in details (8.7 per cent) and SQL injection<br />
(3.2 per cent). In a good 43 per cent of cases there was no record<br />
of the cause.<br />
»»<br />
The vast majority of defacements were against Linux systems:<br />
in a good 61 per cent of the cases, a website used this operating<br />
system. In 30 per cent of the cases, the operating system was not<br />
known. Much further down from Linux come Microsoft Windows<br />
(2.5 per cent) and FreeBSD (2.1 per cent) as platforms used.<br />
»»<br />
The biggest reasons for carrying out a defacement are for fun<br />
(41 per cent) and to be the best defacer (34 per cent). In only<br />
1 per cent of cases did defacement take place because of political<br />
considerations. In 20 per cent of the defacements, the attacker<br />
gave no reason.<br />
Number of registered defacements of .nl websites 2012Q2 - 2013Q1<br />
20000<br />
15000<br />
10000<br />
5000<br />
0<br />
apr '12<br />
may '12<br />
jun '12<br />
jul '12<br />
aug '12<br />
sep '12<br />
oct '12<br />
nov '12<br />
dec '12<br />
jan '13<br />
feb '13<br />
mar '13<br />
Figure 10. Defacements within the .nl domain (source: ZoneH)<br />
194 Source: reports on ZoneH for the .nl-domain.<br />
84