third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

As described earlier, the total number of vulnerabilities in browsers continues to rise. Based on this, the number of available exploits for browsers can also be expected to rise. However this appears not to be the case. Figure 12 shows the total number of exploits available for the browsers as described previously under vulnerabilities. Figure 12 shows that the number of browser exploits reached a peak in 2010 (84 exploits) and then declined rapidly to just 16 in 2012. 7.3.2 Exploit kits Exploit kits bundle together ready-to-use exploits for vulnerabilities that can be used to infect large volumes of systems very quickly. Criminals often use exploit kits to build up a botnet by ‘drive-by’ This maximises the chance of the exploit kit infecting a large number of systems over a short period of time. It seems that Oracle Java and Microsoft Internet Explorer are by far the most popular targets for attack by exploit kits: half of all exploits are in relation to these products. These are followed by Adobe Flash and Adobe Reader. Figure 13 provides a summary of the products that exploit kits target. In some cases, the exploit kits themselves contain exploits for vulnerabilities in Internet Explorer from 2004 and 2005 (Internet Explorer 5.01, 5.5 and 6, which are often still in use in combination with Windows XP). This points to old versions and sometimes versions that are no longer supported still being in use. 90 Exploits for browser vulnerabilities (2005-2012) 80 70 60 50 40 30 20 10 0 2005 2006 2007 2008 2009 2010 2011 2012 g Internet Explorer g Firefox g Safari g Google Chrome g Opera Figure 12. Development in number of exploits for browsers attacks. Contagiodump [195] is a source on the internet that collates and makes available information about exploit kits, providing insight into the exploit kits that are available and the vulnerabilities they abuse. A recent survey [196] of 38 exploit kits (and versions of them) reveals that together they are actively abusing 65 vulnerabilities. Some exploit kits contain just two exploits whereas other exploit kits abuse more than ten. Exploit kits generally include exploits that appear to be effective and abuse vulnerabilities in the software installed on many systems. 195 http://contagiodump.blogspot.com 196 https://docs.google.com/spreadsheet/ccc?key=0AjvsQV3iSLa1dE9EVGhjeUhvQTNReko3c2xhT mphLUE&usp=sharing (updated March 2013). The fact that attacks on these products can be successful is also indicated by figures published by Microsoft regarding the installation of security updates by end users. [24: MS 2012-1] These figures show, for example, that 94 per cent of computers worldwide that have Java, have not installed the latest update of this software and that 51 per cent of all computers have missed the last three Java updates. Equally, almost half of end-users have missed the last three updates of other software such as Adobe Reader and Flash Player. Another alarming conclusion reached by Microsoft is that 7 per cent of all Adobe Reader users have a version that is no longer supported by Adobe and for which Adobe therefore no longer issues updates. This percentage is as high as 9 per cent for Microsoft Word. Popular exploit kits such as BlackHole, Cool Exploit, Eleonore, Incognito, Yes and Crimepack automatically infect computers by 86
Detailed section » 7 Vulnerability of IT Microsoft Windows 6% Adobe Reader/ Acrobat 15% Integrated exploits for products in exploit packs Mozilla Firefox 3% Adobe Flash 17% g Oracle Java g Adobe Flash g Microsoft Windows g Other Other 9% Oracle Java 32% Microsoft Internet Explorer 18% g Microsoft Internet Explorer g Adobe Reader/Acrobat g Mozilla Firefox Figure 13. Software abused by exploit kits exploiting vulnerabilities. The vulnerabilities that are abused are often already known and not new. In some cases these are zero-day vulnerabilities. The most notable development in the area of exploit kits was the disproportionate number of Java vulnerabilities that were abused. 7.3.3 Malware and infrastructure The majority of malware focuses on collating financially attractive data such as credit card or user ID/password details. The by-catch – such as websites visited, details entered on forms and key strokes – is often gathered at the same time. The average malware offers even wider opportunities. For example it is often also possible to secretly copy documents, take screen shots or take photos or recordings using a built-in webcam or microphone. There have already been cases where such techniques have been used for espionage, as well as for blackmail or voyeurism. It is becoming easier and more appealing for malicious attackers to capture and abuse or sell such data. As described in the core assessment, malware is a permanent element of cyber crime. Spreading malware is becoming increasingly wholesale and easier. One of the latest trends is to spread malware through legitimate websites. Malware is increasingly targeting different platforms, including Mac OS X, mobile platforms and in the case of state malware also specific industrial systems. Tools for developing, spreading and managing malware and rogue infrastructure are becoming increasingly professional. New malware is to a limited degree being detected by virus scanners and malware is becoming increasingly difficult to remove from a system. The previous CSAN indicated that 30 per cent of computers are infected with malware. The <strong>NCSC</strong> is increasingly receiving information about malware infections, rogue infrastructures and indicators of sophisticated malware. However organisations often still do not have effective detection mechanisms set up. In response, the organisations concerned generally make do with cleansing infected systems again. This means that it is impossible to subsequently establish the impact of an infection. Based on information from public sources, developments in the area of sophisticated attacks, malware and rogue infrastructure can be summarised as follows: »» An increase has been detected in state cyber espionage and sabotage activities. »» Sophisticated attacks are becoming more common and are also [48: Symantec 2013] being carried out against smaller organisations. »» Sophisticated techniques used by state actors are being adopted by organised criminals. [197] »» The attacker is increasingly gaining benefit. Despite various initiatives for improvement, the defence measures, methods and initiatives are lagging further behind the opponents’ opportunities. 7.3.4 Sophisticated malware Since the previous CSAN, investigators have once again uncovered forms of highly sophisticated malware. The Wiper, Flame, Miniflame and Gauss malware are connected to previously detected malware such as Stuxnet and Duqu. Reports often associate this with elements of an American/Israeli espionage campaign directed at targets on the Middle East, with the emphasis on Iran. Other sophisticated malware recently uncovered includes Miniduke [198] , Itaduke, RedOctober [199] and TeamSpy [200] . According to public sources it is highly probable that multiple states are now actively using sophisticated malware. It appears that the techniques used are now being copied by various actors. The Shamoon malware uses a technique of mutilating files that is based on the Wiper malware. Wiper was used to make Iranian oil companies’ systems unclear. Shamoon was used in an attack on Saudi Aramco and RasGas. [201] Whereas Wiper was a sophisticated 197 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide https://www.securelist.com/en/blog/682/Mediyes_the_dropper_with_a_valid_signature http://arstechnica.com/security/2012/09/ adobe-to-revoke-crypto-key-abused-to-sign-5000-malware-apps/ 198 http://www.h-online.com/security/news/item/Highly-specialised-MiniDuke-malware-targetsdecision-makers-1813304.html 199 http://threatpost.com/en_us/blogs/ rocra-espionage-malware-campaign-uncovered-after-five-years-activity-011113 200 http://threatpost.com/en_us/blogs/researchers-uncover-teamspy-attack -campaign-targeting-government-research-targets-032013 201 http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amidcyberattack. html?_r=1 & http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/ 87 »
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31:
get the script kiddies started. One
Page 32 and 33:
location’, there is no one single
Page 34 and 35:
Furthermore, business information c
Page 36 and 37:
environments often arise from the i
Page 38 and 39: not only smart phones, tablets or c
Page 40 and 41: 5.3 Technology Norms, guidelines an
Page 42 and 43: ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 87: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?