third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Detailed section » 8 Vulnerability of the end-user<br />
8 Vulnerability of the end-user<br />
The end-user is often referred to as the weakest link in<br />
security. However too much responsibility is placed on<br />
the end-user. End-users are increasingly understanding<br />
the risks of the use of IT, but have limited knowledge<br />
and tools to tackle cyber security themselves. Rather<br />
than being an issue of awareness, there is a limited<br />
perspective for action.<br />
End-users play an important role in making information chains<br />
secure. End-users are personally responsible for the security of their<br />
own IT, but can they accept this responsibility? This detailed section<br />
looks at the interests, threats and vulnerabilities that concern<br />
end-users.<br />
8.1 End-users use IT both at home and for business<br />
End-users are huge users of the internet, mobile devices and mobile<br />
applications. According to research by the University of Twente,<br />
87 per cent of Dutch citizens use the internet every day. [52: UT 2012] The<br />
preferred location for use is still in the home, but mobile access is<br />
increasing. The number of people owning a smartphone increased<br />
by 1 million in 2012, to around 7 million by December 2012.<br />
[19: IMGFK 2012]<br />
While in 2011, 31 per cent of Dutch people had access<br />
to the internet through a smartphone. This percentage rose to<br />
42 per cent in one year.<br />
The increased availability of the internet is also translating into<br />
increased use of the internet. On a working day (including leisure<br />
time) Dutch people spend on average 4 hours and 48 minutes on<br />
the internet. The increase in duration of use goes hand in hand with<br />
the increased popularity of online applications. Research by the<br />
University of Twente [52: UT 2012] resulted in a top 5 of internet use:<br />
»»<br />
Information (looking for information)<br />
»»<br />
Entertainment (using the internet for pleasure)<br />
»»<br />
Interaction with friends (to maintain contact)<br />
»»<br />
Transaction (to make purchases)<br />
»»<br />
Personal development (learning through the internet)<br />
End-users are increasingly storing their confidential data on<br />
different devices (smartphones, tablets, etc.) and (online) applications<br />
and their data is being processed electronically in increasingly<br />
more places. End-users share this data, which is sometimes<br />
necessary to access a service, with organisations providing online<br />
services and data storage.<br />
The number of devices in households with an internet connection<br />
is also increasing without users even being aware of this. It is not<br />
just smartphones and tablets that are online, so are printers,<br />
network attached storage (NAS), media players, etc. For example<br />
smart TVs use the internet for software updates or to retrieve<br />
program information. Other intelligent devices such as thermostats<br />
and security cameras also have an internet connection. Intelligent<br />
energy meters are new devices that are increasingly being installed<br />
in households. Currently, this is happening on a voluntary basis, but<br />
these meters will replace existing meters as standard in the<br />
foreseeable future.<br />
8.2 End-users are at risk<br />
End-users are bombarded with a raft of tools designed to get hold<br />
of data and money. Relevant forms of this are:<br />
»»<br />
With phishing, malicious attackers search the internet in a<br />
targeted way looking for information about their victims who are<br />
then approached by telephone. In the past, this form of fraud was<br />
targeted primarily at financial institutions. In 2012, the practice<br />
was seen to extend to (software) suppliers.<br />
»»<br />
Installing malware means end-users can become part of a botnet.<br />
An end-user’s computer can then be used for illegal activities<br />
without the user being aware, for example to carry out DDoS<br />
attacks or to spread spam. Other malware, for example banking<br />
trojans, aim to cheat victims out of money when they use internet<br />
banking.<br />
»»<br />
Ransomware (hostage software) hijacks the infected system’s<br />
functionality, for example by encrypting files or blocking the<br />
operating system from working. To regain access to the files, the<br />
victim must pay for the code needed.<br />
»»<br />
A fake anti-virus product abuses end-users’ need for security with<br />
the aim of installing malicious software on the computer. A<br />
window appears on the user’s screen reporting that his computer<br />
is infected with all sorts of viruses. This fake report is followed by<br />
a request to pay a sum of money, supposedly to clean the<br />
computer.<br />
Data leaks also remain a threat to end-users. A hack at an online<br />
service provider can result in confidential end-user data falling into<br />
unauthorised hands. However end-users themselves are often<br />
careless in handling privacy-sensitive data, for example by saving<br />
log-in names and passwords insecurely. It appears that malware is<br />
often looking for this information and thus ends up in the hands<br />
of criminals. Data published on the internet, for example a user’s<br />
online identity, can be used by other people to send email messages,<br />
access social media or carry out (financial) online transactions.<br />
»<br />
91
Change language