third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

Leak in the Humannet website belonging to the VCD IT company published personal and medical files belonging to 300,000 employees The websites of the football club AZ and the KNVB leak data from 6,000 users Break-in at web shop Replace Direct. Several account details leaked. Hack of Simpel.nl leaving multiple databases accessible 140,000 KPN DSL accounts use standard password Leak from Tix.nl makes details of 26,000 airline passengers public Pharmacy in Rotterdam puts clients’ medical details in the garbage Apr 2012 May 2012 Jun 2012 Jul 2012 Aug 2012 Sep 2012 Oct 2012 Nov 2012 Dec 2012 Jan 2013 Medical research centre Diagnostiek voor U leaks highly sensitive data of thousands of people in the Dutch province of Brabant 95,000 customer details publicly accessible due to a leak at Perry Sport website Break-in at the development environment at Far- Medvisie – personal details of 8,500 patients of two care institutions leaked University of Utrecht learning system administrative account uses a weak password Marketing campaign bol.com leaks details of 84,000 participants GGZ Drenthe leaks details of 3000 forum visitors Hack at ProServe: 800,000 company and web shop customer details stolen A computer system at the Groene Hart hospital containing the details of almost 500,000 patients is revealed to be insufficiently secured Bits of Freedom stopped after three years with the Data Leaks Black List Twente University lending system proven vulnerable, with customer details easy to access The figure above shows the data leaks in the Netherlands that the private organisation Bits of Freedom has updated to 14 January 2013. [208] 8.3 The end-user is left with security problems The devices which end-users buy (smartphones, laptops, printers, routers, etc.) are not always securely configured by default or the user interface is unclear. It is the suppliers themselves who determine how the device is set up by default and they are not bound by any rules. As a result, it is difficult for users to configure devices securely themselves and keep them up-to-date in terms of security. The consequence may be that data can be viewed or manipulated by third parties. Vulnerabilities in online devices In December 2012 the American security company Rapid7 announced (see also a programme broadcast by KRO Reporter [209] ) that it had found 83 million devices globally that could be reached by Universal Plug and Play (UPnP) control commands through the internet. The reason was the insecure configuration settings, often the default factory settings, from UPnP. This means that malicious attackers can approach these devices through the internet and then make them unavailable, adjust the settings, watch using cameras or read the content of a network driver. A quarter of these devices are set up in such a way that they can be maliciously abused. 208 https://www.bof.nl/category/zwartboek-datalekken/ 209 https://www.ncsc.nl/actueel/nieuwsberichten/upnp-beperk-het-gebruik.html http://reporter.kro.nl/seizoenen/2012/afleveringen/07-12-2012 210 http://secunia.com/vulnerability-review/vendor_update.html End-users are increasingly facing risks from vulnerabilities in software added to standard software such as third-party add-ons and (browser) plug-ins. According to recent research by Secunia [210] the number of vulnerabilities in this software, compared with vulnerabilities in the standard operating system, increased from 57 per cent in 2007 to 86 per cent in 2012. An analysis of unique NCSC advisories issued since 2010 confirms this trend. 92
Detailed section » 8 Vulnerability of the end-user Visiting respected websites, such as news sites, can also entail a risk. When visiting an infected site, attempts are made to install malware on the computer. This method of infection is known as ‘drive-by download’. This happens possibly because the (web) hosters are using vulnerable software or for example because there is malware in advertising banners. Malware on legitimate websites: Telegraaf.nl case On Thursday 6 2012, malicious software was spread briefly through the telegraaf.nl website which then attacked the PCs of visitors to this website. The aim of these attacks was to infect these PCs with malicious software. Visitors with vulnerable versions of Adobe and Java software installed on their PCs became infected with banking malware and ransomware. [211] 8.4 The end-user in the security chain The increasing complexity and greater dependence on IT requires end-users to act with care. This includes properly maintaining their own devices (timely installation of patches and updates, the use of anti-virus software/spam filters), but also concerns how users behave on the internet (use of passwords, sharing of information, visiting websites, downloading files). It can be difficult for end-users to keep their IT resources secure because a high degree of content knowledge is often needed to configure systems securely, solve problems and install the right updates. Recent research by Secunia [212] shows that the period of time between suppliers becoming aware of a vulnerability and them issuing updates has decreased significantly in recent years. However research by Microsoft shows that even if updates are available, a large number of users continue to use vulnerable software. If an application still meets the user’s needs, the choice will be made not to upgrade, whereas suppliers generally issue security updates only for the latest version. Both the government and the private sector inform end-users of potential dangers on the internet through awareness campaigns. Examples of campaigns include AlertOnline (targeted at citizens and SMEs), beschermjebedrijf.nl (targeted at IT SMEs in the Netherlands), veiligbankieren.nl (targeted at end-users of (internet) banking), DigiVaardig/DigiBewust (ECP-NL Platform) and ‘Laat je Niet Hacken, Thuis Veilig Online’, an initiative by the Dutch Consumers’ Association. The aforementioned report by the University of Twente provides an overview of the measures that Dutch citizens took in 2012 to protect themselves on the internet. The findings below demonstrate that end-users’ awareness is increasing. »» The number of people using a virus scanner has risen from 82 per cent to 87 per cent. »» There has been in increase in having automatic updates installed from 53 per cent to 59 per cent. »» Use of a spam filter has increased from 54 per cent to 58 per cent. »» Control over with whom personal data is and is not shared has risen from 33 per cent to 39 per cent. »» The percentage of internet users who regularly change their passwords has increased from 31 to 38 per cent. 8.5 Who is helping the end-user? 8.5.1 Government In addition to awareness campaigns, the government also has legislation and regulations designed to protect end-users, including: »» Duty of care and reporting as described in the Telecommunications Act (tw) (section 11a / articles 11a.1 and 11a.2). Companies that provide telephony and internet services have since 5 June 2012 been required to report incidents to the Authority for Consumers & Markets (formerly OPTA). This concerns incidents where a risk has arisen that other people could access customers’ personal details. In some cases, the telecoms companies must also inform the individuals whose details have been leaked. However companies from other sectors and governments are not obliged to report data leaks. However legislation is being prepared that will introduce compulsory reporting of data leaks. [213] »» Under the Dutch Data Protection Act (WBP) any individual concerned (end-user) who believes that his personal details are being handled carelessly is entitled to view, correct, and delete his details. The Dutch Data Protection Authority(CBP) has a website [214] where concrete tools for individuals concerned are published. The CBP itself has the legal task of supervising compliance with the Data Protection Act. »» The spam ban (article 11.7 of the Telecommunications Act) is intended to protect end-users from unwanted electronic messages (for example by email, fax, SMS or social media). The ACM is responsible for monitoring the spam ban and has set up a special complaints portal in Dutch (www.spamklacht.nl) for consumers and companies. The ACM in received 24,536 complaints about spam through this reporting point in 2012. As well as carrying out investigations, the ACM seeks active collaboration with (inter)national public and private parties. Legal judgments from spam investigations in 2012 can be found in the ACM annual [38: OPTA 2013] report 2012. 211 http://hitmanpro.wordpress.com/2012/09/08/banking-trojan-keeps-hitting-the-dutch-hard/ http://www.waarschuwingsdienst.nl/Risicos/Actuele+dreigingen/Virussen+en+wormen/ WD-2012-080+Nieuwssite+telegraaf.nl+serveert+link+naar+malware.html 212 http://secunia.com/vulnerability-review/time_to_patch.html 213 http://www.rijksoverheid.nl/documenten-en-publicaties/wetsvoorstellen/2012/11/01/ wijziging-wet-bescherming-persoonsgegevens-meldplicht-datalekken 214 http://www.mijnprivacy.nl/Pages/Home.aspx 93 »
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31:
get the script kiddies started. One
Page 32 and 33:
location’, there is no one single
Page 34 and 35:
Furthermore, business information c
Page 36 and 37:
environments often arise from the i
Page 38 and 39:
not only smart phones, tablets or c
Page 40 and 41:
5.3 Technology Norms, guidelines an
Page 42 and 43:
ACM seeks active collaboration with
Page 45 and 46: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 96 and 97: In 2012, ACM received a total of 14
Page 98 and 99: car park will not open. It is annoy
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?