Cyber Security Assessment Netherlands CSBN-2

Cyber Security Assessment Netherlands CSBN-2

Cyber Security Assessment Netherlands CSBN-2 National Cyber Security Centre Wilhelmina van Pruisenweg 104 2595 AN The Hague The Netherlands P.O. Box 117 2501 CC The Hague The Netherlands T +31 (0)70-888 75 55 F +31 (0)70-888 75 50 E info@ncsc.nl I www.ncsc.nl June 2012

National Cyber Security Centre Via collaboration between the business sector, the government and academia, the National Cyber Security Centre (NCSC) contributes towards achieving greater defensibility of the digital domain in Dutch society. The NCSC is supporting central government and organisations with a vital function in society by providing them with expertise and advice, threat response and with action to strengthen crisis management. It also provides information and advice to citizens, government and the business sector, which it does to promote awareness and prevention. As such, the NCSC is the central notification and information centre for ICT threats and security incidents. The NCSC is part of the Cyber Security Department at the National Coordinator for Counterterrorism and Security [Nationaal Coördinator Terrorismebestrijding en Veiligheid (NCTV)]. Collaboration and sources This report has been produced by the NCSC. The Ministries, the Military Intelligence and Security Service (MIVD), the General Intelligence and Security Service (AIVD), the police (the National Police Services Agency (KLPD, THTC), the Public Prosecution Service (the National Public Prosecutor s Office (LP)), KPN, OPTA, the Dutch Forensic Institute (NFI), Statistics Netherlands (CBS), the NVB, the Bits of Freedom digital rights organisation (BOF), the NCTV, academic institutes and universities have all made information available to the NCSC, all of which has played its part in the production of the Cyber Security Assessment Netherlands. Their contributions, the substantive reviews and public sources, a survey, information from the vital sectors and analyses by the NCSC have made a major contribution to the substantive quality of the assessment.

F O R E W O R D Recent cyber incidents are a clear indicator that it is a challenge to put into place effective and, more in particular, timely measures to ensure that The Netherlands becomes more resilient to threats in de digital world. A wide range of incidents feature in day-to-day reality. The news regularly includes reports on attacks on vulnerabilities and disruptions to the ICT infrastructure, which is becoming even more complex. New providers, technologies and services contribute to a growing dependence of internet in our society. However, cyber security incidents are showing us that the internet and ICT contain vulnerabilities that can be exploited by malicious parties. These vulnerabilities are not new. Just as is true in a mantra, incidents, advice and conflicting insights follow each other continually. This does not, however, always lead to a correct follow up. By implementing a widely known number of basic measures it should have been possible to avoid a number of the incidents which occurred in 2011. However, compliance with the advice issued on improvements that could be made pursuant to these incidents has not been forthcoming. Either through lack of awareness of the vulnerabilities and the issued advice or just through lack of urgency. This Cyber security assessment reiterates some of these vulnerabilities because they are either still actual or because they have become relevant through new development. The aim of this second Cyber Security Assessment is to describe incidents, threats and vulnerabilities which are posing a threat to The Netherlands today. Hereby heightening awareness within organisations and individuals of the cyber risks that are involved, so that they are able to take the necessary precautions and reduce their vulnerability. The Assessment also shows, for the first time, what measures have been taken to reduce vulnerability to digital threats in Dutch society. For the time being, incidents, vulnerabilities and threats remains a fact. The challenge lies in learning from mistakes, preparing timely responses and working on prevention. Elly van den Heuvel General Manager of the National Cyber Security Centre

C O N T E N T S Starting points 7 Summary 9 Section 1 > Introduction 12 1.1 Purpose 13 1.2 Background 13 1.3 Object 13 1.4 Research methods 13 1.5 Reading guide 13 1.6 Key terms 14 Section 2 > Actors 16 2.1 Cyber researchers 18 2.2 Internal actors 18 2.3 States 18 2.4 Private organisations 19 2.5 Hacktivists 19 2.6 Script kiddies 19 2.7 Professional criminals 20 2.8 Terrorists 20 2.9 Citizens 20 Section 3 > Threats 22 3.1 Information-related threats 23 3.1.1 The publication of confidential data 23 3.1.2 Digital (identity) fraud 24 3.1.3 Digital espionage 25 3.1.4 Blackmail 27 3.2 Terrorist cyber threat 27 3.3 The development of cyber offensive capacities by states 28 3.4 System-related threats 28 3.4.1 The disruption of vital infrastructure 28 3.4.2 Disruption as a result of sabotage 29 3.4.3 The disruption of (online) services 29 3.5 Indirect threats 30 3.5.1 The (digital) disruption of business operations as the result of an attack on a third party 30 3.5.2 Disruption as a result of malware infections and spam 30 3.5.3 A hoax as a threat 31 3.6 Emergencies and disasters 32 3.6.1 The disruption of business operations as a result of fire, water damage or natural disasters 32 3.6.2 The disruption of business operations as a result of the failure of hardware and/or software 32 3.7 Threats and incidents handled by the NCSC 33 3.8 Threat overview 34 3.8.1 An estimate 34 3.8.2 Threat perception by citizens 34

Section 4 > Vulnerabilities 36 4.1 Vulnerabilities caused by human and organisational factors 37 4.1.1 Websites and web applications that lack sufficient security 37 4.1.2 Access security easy to bypass 38 4.1.3 Software that has not been updated 38 4.1.4 Third party recording of user surfing habits 38 4.1.5 The use of mobile devices and consumerisation 39 4.1.6 Security responsibility for Big Data 39 4.1.7 Insufficient detection of irregularities 40 4.2 Technical vulnerabilities 40 4.2.1 Achieving a reduction in vulnerabilities in standard software 40 4.2.2 Large variation in the turnaround time when resolving vulnerabilities 41 4.2.3 Vulnerabilities for mobile malware 42 4.2.4 Vulnerabilities as a result of implementation errors 42 4.2.5 Vulnerabilities inherent to the design of protocols 42 4.2.6 Vulnerabilities in GSM and satellite telephony 43 4.2.7 Vulnerabilities in SCADA and ICS 43 Section 5 > Tools 44 5.1 New method for successfully sending spam 45 5.2 The race to hide identity 45 5.3 A new type of ransomware 45 5.4 Exploit kits are being refined further 46 5.5 Major botnet involving Apple computers discovered 46 Section 6 > Resilience 48 6.1 Norms, guidelines and standards 49 6.1.1 Step-by-step plan and checklist offer municipalities prospects for action after Leaktober 49 6.1.2 The ICT security guidelines for web applications increase security level 49 6.1.3 Cookie directive to protect internet users 50 6.1.4 Information security baseline for the civil service 50 6.2 Knowledge and awareness 50 6.2.1 Citizens have a limited awareness of cyber security 50 6.2.2 Awareness of ICS and SCADA continues to be a problem 51 6.2.3 Red teaming increases awareness of cyber security 51 6.2.4 The General Intelligence and Security Service increases awareness of espionage 51 6.3 Administrative enforcement, detection and combating 51 6.3.1 The Team High Tech Crime at the National Crime Squad expands 51 6.3.2 The Team High Tech Crime arrests professional criminals and other threat groups 51 6.3.3 The Team High Tech Crime commits itself to the detection and combating of child pornography on the internet 51 6.3.4 Cyber crime is also being combated at a European level 52 6.3.5 Two new notification duties make it compulsory to report privacy breaches 52 6.3.6 The combating of botnets encouraged 52 6.4 Information exchange and collaboration 53 6.4.1 The National Cyber Security Centre commits itself to collaboration 53 6.4.2 An ICT security function harmonises security in the civil service 53 6.4.3 Combating cyber crime: achieving a balance between collaboration and enforcement 53 6.4.4 Electronic Crime Taskforce improves the combating of financial fraud 53 6.4.5 Municipal ICT security service coordinates security subjects 53 6.4.6 OPTA chooses broader approach when combating cyber crime 54 6.4.7 Interpol commits itself to international collaboration 54 5

6.5 Cyber security research and new methods 54 6.5.1 The government encourages cyber security research 54 6.5.2 Companies certify designers, developers and testers 54 6.5.3 Cost models to identify the cost of cyber security 55 6.5.4 The General Intelligence and Security Service supports Network Security Monitoring 55 6.6 The military forces improve digital resilience 55 Appendix 1: Bandwidths for cyber threats 57 Appendix 2: Case studies 58 Appendix 3: Vulnerabilities and incidents handled by the NCSC 62 Appendix 4: Abbreviations 64 Appendix 5: Definitions 66 6

S T A R T I N G P O I N T S The Cyber Security Assessment Netherlands has been produced by the National Cyber Security Centre (NCSC). The starting point is that the NCSC is independent as regards its decisions on the content of the Cyber Security Assessment Netherlands. When producing the Cyber Security Assessment, the NCSC worked with various organisations and services that are affiliated with it. Content The Cyber Security Assessment Netherlands is an observation and analysis of national and international cyber security developments for official and political managers and policy makers. This report does not contain any recommendations or advice. Scope The Cyber Security Assessment Netherlands relates to the Netherlands and to Dutch interests abroad. Attention is focused primarily on (central) government, the vital sectors and citizens. Substantive basis When producing the Cyber Security Assessment Netherlands, use was made of (classified) information from services responsible for cyber security and the combating of cyber crime, as well as public sources, administrative sources, information from the vital sectors and analyses by the NCSC and its international partners. Where available, quantitative data are used to substantiate observations made in the Assessment. Classification The Cyber Security Assessment Netherlands will be published in two versions: a departmental, confidential version and a public version. In the public version, the information provided by third parties will be aggregated and anonymised. Reporting period The formal reporting period for this Cyber Security Assessment will extend from 1 July 2011 up to and including 31 March 2012. Recent developments up to and including May 2012 have been included in this Assessment too. The Cyber Security Assessment Netherlands seeks to provide the most current observations possible of cyber security and is not a trend, progress and/or incident report. Presentation The Minister of Security and Justice will present the Cyber Security Assessment to the cabinet, the Cyber Security Council and the Lower House of Parliament. Added to this, the public version of this report will be presented to contacts, interested parties and the public, via the website for the NCSC. 7

S U M M A R Y The security of information and communication technology (ICT), otherwise known as cyber security, is a serious subject. There are significant interests behind ICT systems which need to be defended. These interests are not limited to information but extend to all kinds of services that are vital for the functioning of Dutch society. In addition, recent incidents have shown that ICT systems are vulnerable and that actors and their motives can pose a threat to Dutch interests. Added to the above, system and information owners often underestimate the value of information. Identity data, business information and software and organisation vulnerabilities are of great value for various actors and/or are sold for large amounts of money. The easy access to these commodities is enticing increasing numbers of individuals and is responsible for the occurrence of incidents in the field of cyber security. Our society is vulnerable. Working on making our Dutch infrastructure more resilient is therefore of continued importance.. It is this realisation and the need for an integral approach that resulted, in 2011, in the formulation of the National Cyber Security Strategy. One of the strategy s lines of action is the achievement of effective and up-to-date threat and risk analyses. In December 2011, the first step was taken in the implementation of this line of action: the publication of the first Cyber Security Assessment. As with the first Cyber Security Assessment, this second report describes the threats that exist in the national ICT domain. Threats, incidents, vulnerabilities and the measures put in place have all been identified in outline on the basis of public sources, sources that are not available in the public domain, discussions, a survey conducted amongst different parties and (operational) information from the NCSC, the associated liaisons. This edition of the Cyber Security Assessment has been extended to include threats from internal actors, emergencies, disasters and a section on the subject of resilience. The assessment has been strengthened with more case studies on a number of characteristic security incidents, quantitative analyses and the incident figures from the NCSC. The basis for the second Cyber Security Assessment Netherlands has been broadened across the board. By doing this, the first steps have been taken towards the achievement of further differentiation and quantification in the Cyber Security Assessment. Key findings In the main there has not been a observed shift in major threats. Given the serious nature of the threats that exist, they must continue to be given the attention they deserve. However, the actions of hacktivists, professional criminals and cyber researchers has become more visible in the period behind us. The other new threat groups (internal actors and emergencies) and threats in this Cyber Security Assessment pose a low to medium threat at this point in time. Digital espionage and cybercrime continue to be the biggest threat to the government and the business sector The attacker still has the upper hand. Despite various improvement initiatives, defence measures, methods and initiatives are still failing to keep up with the motivation and perseverance of and resources available to opponents. A number of incidents that occurred during the reporting period were a result of simple vulnerabilities and could have been prevented through compliance with and the implementation of basic security measures. Consumerisation, mobile internet and the expansion of internet service provision are responsible for an exceptional increase in the number of devices connected to the internet. This will result in greater social dependence, more (software) vulnerabilities and an exponential increase in the complexity of management issues. The average internet user and a number of organisations lack the level of knowledge and skill necessary to be able to protect themselves properly against digital risks. A further increase in consumerisation will only exponentiate this problem. Actors are increasingly working together and are sharing knowledge direct and indirectly, intentionally and unintentionally. This trend applies both for actors that are making a positive contribution to internet security and for malicious actors. Malicious parties are in a position to take advantage of weaknesses at an ever faster rate, in contrast to the long turnaround times that apply for organisations when implementing patches. While putting together the Cyber Security Assessment Netherlands, it was found that different parties and publications are using different cyber taxonomies and registration methods (cyber incidents and threats). This hinders outline analyses and the fast and uniform aggregation of data. 8

SUMMARY Actors The nature of the activities engaged in by actors is largely the same as those described in the previous Assessment. The threat posed by the (secret) activities of states and professional criminals is still high. Citizens, private organisations and states continue to be vulnerable targets. The various actors are working together more and more and information is increasingly being shared, directly and indirectly and in some cases unintentionally too, whether for the good or to the detriment of others. In the previous period, it was observed that hacktivists and cyber researchers enjoyed increased visibility, increased media attention and that their activities increased too. The cyber researcher is a new actor in the Cyber Security Assessment, the object of which is to expose vulnerability and improve security. Internal actors have also been added to this Cyber Security Assessment too, as they pose a significant threat as well. Threats Based on analyses and incidents in this reporting period, digital espionage and malware infection and spam have been estimated as a high threat for government. Private organisations must particularly be aware of digital espionage, malware infection and spam and digital (identity) fraud. Digital identity fraud is a high threat to citizens. The most important threat groups continue to be states that engage in digital espionage activities and (professional) criminals that engage in activities for financial gain. The activities engaged in by the new sources of threat ( internal actors and cyber researchers ) that have been included in the Cyber Security Assessment may pose a low to medium threat. THREAT GROUP T A R G E T S States Private organisations (Professional) criminals Government Private organisations Citizens Digital espionage Disruption as a result of malware infection and spam Digital espionage Digital espionage Disruption as a result of malware infection and spam Digital (identity) fraud Digital espionage Disruption as a result of malware infection and spam Digital (identity) fraud Blackmail The disruption of online services Blackmail The disruption of online services Blackmail Terrorists Sabotage Sabotage Hacktivists The publication of confidential data The publication of confidential data The publication of confidential data The disruption of vital infrastructure The disruption of vital infrastructure The disruption of online services The disruption of online services Hoax Hoax Hoax Script kiddies The disruption of online services The disruption of online services Cyber researchers The publication of confidential data The publication of confidential data Internal actors The publication of confidential data The publication of confidential data Blackmail Not an actor Fire, water damage and natural disasters Fire, water damage and natural disasters Failure and/or absence of hardware and software Failure and/or absence of hardware and software Relevance: Unknown/N/A. Low Medium High (explanation: see Appendix 1) 9

SUMMARY There are various types of threats: threats that are caused deliberately by someone (information-related threats, system-related threats and indirect threats) and threats in the form of emergencies as a result of the concurrence of circumstances. The relevance of the threats included in the Cyber Security Assessment Netherlands is determined on the basis of an expert assessment. This is expressed in terms of high (red), medium (orange) and low (yellow). The threat weighting applied is described in Appendix 1. Vulnerabilities It has been found that the security of websites continues to receive insufficient attention. Vulnerabilities are being insufficiently resolved, because of which malicious parties are able to view and manipulate data. The access security of web applications is often not up to scratch either. The passwords chosen by users are too simple or too short, because of which they can easily be guessed by an attacker. Added to this, the log-in data applicable for one system are often re-used in other systems. Because of this, a leak in the security of one website results in a situation in which attackers are also able to gain access to other systems. More and more employees are using smartphones and tablets and these are being used in work environments too. This concept, which is called Bring Your Own Device (BYOD), is resulting in the increasing complexity of ICT infrastructure management. Because an owner is able to install apps himself, there is a whole range of different installations. As a result, the presence of vulnerabilities and/or malware is often observed at a late stage or not at all. Currently, the vulnerabilities discovered in mobile operating systems sometimes remain unresolved for months. This makes it possible for malicious parties to gain access to information and systems. There are barely any proven measures or best practices for security in this field at the current time. In the current reporting period, a number of vulnerabilities in ICS and SCADA systems made the media. These systems are used for the operation of industrial processes. The NCSC received reports of ICS and SCADA systems that were accessible via the internet. These systems probably represent a long-term vulnerability, as it is not easy to provide them with updates when vulnerabilities in their software are discovered. Added to this, more and more software tools that make it possible for a malicious party to easily misuse this type of vulnerability are becoming available in the public domain. Tools The most important technical tools that threat groups use continue to be exploits, malware and botnets. Botnets still play a pivotal role in the cyber attacks. What is striking is the increased attention by cyber criminals on the Mac platform, which manifested itself in the development of a big botnet of more than 500,000 Mac computers. Advanced exploit kits have made it possible for cyber criminals to develop botnets. The latest generation of exploit kits is able to attack a number of platforms simultaneously and also contains an extendable series of exploits for various different vulnerabilities. Added to this, improved user friendliness means that it is now possible for a growing group of cyber criminals and script kiddies to use these tools. Besides exploit kits, this Cyber Security Assessment will look at the way in which web mail accounts are being taken over, after which they are misused to send spam and malware. New developments have been observed in the field of ransomware too. There are now variants that only allow a computer to start up once a ransom has been paid. This Cyber Security Assessment will also describe a tool that can be used for both positive and malicious purposes: technologies that make it possible to conceal a party s dentity. For example, cyber criminals can use these technologies to make it more difficult for them to be traced, whereas the police can use them to make it possible to carry out their investigations without being observed. Resilience Digital resilience can be defined as the ability to resist negative influences on the availability, confidentiality and/ or integrity of (information) systems and digital information. Added to this, digital resilience involve the continuity of service provision and the achievement of the continued effectiveness of service provision. Important initiatives have been developed in the field of resilience in the period behind us. The most striking of these initiatives relates to increasing awareness, increasing national and international collaboration, promoting (academic) research and increasing the capacity of the NCSC, the Team High Tech Crime (THTC) and the Ministry of Defence where cyber security is concerned. At a more detailed level, increasing attention is being given to the need to combat cyber crime and botnets. Added to this, a number of legislative bills have been initiated in relation to the reporting of data leaks, for instance. 10

SUMMARY The Cyber Security Council and the NCSC have been created pursuant to the recommendations set out in the National Cyber Security Strategy. Following on from a number of major incidents in 2011, the NCSC, Logius, the Ministry of the Interior and other interested parties have published a document that provides ICT guidelines for the security of web applications. Added to this, following on from the discovery of various vulnerabilities, recommendations have been published on the security of ICS and SCADA environments. Although many separate initiatives are being developed on the theme of cyber security, it has been found that there is a great need for an integral approach in which sufficient alignment is achieved between the various initiatives. This is not new and was also one of the messages encapsulated in the National trend report on cyber crime and digital security for 2010. 11

S e c t i o n 1 Introduction 12

Section 1 > Introduction 1.1 Purpose The NCSC publishes the Cyber Security Assessment Netherlands (CSBN) on an annual basis. This report, which is an observation on the status of cyber security in the Netherlands, provides policy makers with insights that will enable them to strengthen resistance in the Netherlands to cyber threats and to improve existing cyber security programmes. At the request of both the Lower House of Parliament and the Cyber Security Council, future reports will be expanded to provide a more detailed overview of the status of cyber security in the private sectors and in organisations in the vital sectors. This process will be a gradual one and will take a number of years to achieve. The following have been included in this Cyber Security Assessment for the first time: (Internal or external) staff as actors; The role played by the cyber researcher; The threat: natural and unforeseen circumstances, human error and the actions of internal and external staff; An analysis of controls and the resistance offered to threats. Added to the above, qualitative analyses have been given a quantitative substantiation where available. In the period ahead, the NCSC will continue to focus on the collection of more quantitative information, which will make it possible to substantiate qualitative analyses more extensively. 1.2 Background This Cyber Security Assessment does not exist in isolation. It must be read in the context of previous publications and other initiatives. The current Cyber Security Assessment builds on the previous edition, which was published in December 2011. In the National Cyber Security Strategy, preparation of the Cyber Security Assessment is referred to as one of the tasks conferred on the NCSC. 1.3 Object The object of the Cyber Security Assessment is to provide readers with insights into cyber security developments and the security of the digital society. The Cyber Security Assessment explains which developments can be recognised in terms of threats, actors, vulnerabilities, tools and countermeasures. 1.4 Research methods This Cyber Security Assessment is an analysis and observation of the state of play as regards cyber security in the Netherlands. The international nature of cyber security implies that international developments are relevant for this subject too, because of which they will be discussed too. When preparing the Cyber Security Assessment, three methods of information collection were used: a literature study, a survey and an operational analysis. Where possible, subjects have been discussed on the basis of reports published on research that has already been conducted, such as government reports, academic articles, reports from relevant market parties and reports on important events, such as the DigiNotar crisis. The information obtained in this way has been supplemented with internal information generated previously by the NCSC, such as recommendations produced by the NCSC. Operational analysis In addition to the study described above, the expertise and analysis capacity of the NCSC and of organisations affiliated to the centre has been drawn on too. This was done partly by circulating a survey on the one hand, the results of which have been used to support a number of findings from the Cyber Security Assessment. On the other hand, the authors of this document requested operational information from partners and meetings were held with the staff employed by government parties that have contacts with the centre and with representatives from organisations from the vital sectors, the object of which was to include the experiences of these organisations with cyber security in the Assessment. Information position While preparing the Cyber Security Assessment Netherlands, it was found that different cyber taxonomies and registration methods (cyber incidents and threats) are used by the parties and in publications. The data used in registration systems and in reports are not uniform and clear. This results in varying insights and expert discussions about the quality and accuracy of reports or facts. It has been found that each organisation seems to adopt a different approach to reporting periods, the documentation of incidents, weaknesses, threats and emergencies in registration systems. The term incident is confusing too. An incident will be entered, not entered and/or entered more than once into registration systems. In one organisation, only actual incidents will be registered, while other registration systems will register incidents and the detection of weaknesses and/or attempted incidents and events that are considered to be suspected incidents. This varying data quality results in reduced efficiency and effectiveness when producing (risk) analyses and aggregating data. 1.5 Reading Guide When reading this Cyber Security Assessment, readers must be aware of the structure underlying this document. The various aspects of an incident, development or fact may be spread over a number of sections and it is possible that information will be repeated too. The choice outlined above 13

Section 1 > Introduction is based on a comparative assessment of the need for the Cyber Security Assessment as a whole to be readable on the one hand and for the information in the various parts of the document to be presented in a way that is understandable on the other hand. Figure 1. The connection between key terms in the field of cyber security Disasters The various sections of this report describe the situation and developments applicable in relation to cyber security, each in a different way. Section 2 describes the roles that parties are able to play in the framework of cyber security. To achieve a proper understanding of the relevance of various threats, it is important to have an understanding of the nature and intentions of and resources available to the various actors involved in cyber security. Section 3 will look at the threat that these or other parties can pose to the security of citizens, organisations and (central) government. Section 4 will identify the vulnerabilities that underlie current cyber threats. The tools used by the attacking and defending sides will be described in Section 5, followed by a description of the resistance offered to threats in Section 6. Assets have protect impact may result in can result in Incidents The Cyber Security Assessment includes a number of case studies in which relevant and recent incidents are singled out in order to illustrate the message underlying the main text. Vulnerability compensate and have Controls More quantitative data and explanations of the terminology used can be found in the appendices to this document. relevant for relevant for 1.6 Key terms The figure opposite provides an overview of the various factors that play a role in the analyses included in this report. The interests of organisations and society (and specifically the vulnerabilities present within society) can be threatened by the actions of an actor and/or by incidents that do not involve an actor (natural disasters or fire, etc.). Where an interest and the corresponding weaknesses are compensated (defended) insufficiently by the measures (controls) put in place, a threat may lead to an incident and, in serious cases, to a disaster. Natural disasters, fire, human error, etc. may result in Threats use can result in What is cyber security? Cyber security is a situation in which there is no risk that danger or damage will result from the disruption or loss of ICT or from the abuse of ICT. The danger or damage ensuing from the abuse, disruption or loss of ICT may consist of the limitation of the availability and reliability of ICT, a breach of the confidentiality of the information saved in ICT systems or damage to the integrity of this information. 1 Tools uses Actor 1. National Cyber Security Strategy 14

Section 1 > Introduction What is an actor? An actor is a role that a party plays in a development in the field of cyber security. Although this role will clearly be an offensive or defensive role in many cases, it is not always possible to make a clear cut distinction. A party may play a number of roles, which may change gradually too. What is a threat? A threat is an unwanted event that could happen. A threat may be an external or internal threat and may become reality if there is a vulnerability that the threat is able to exploit. If the threat becomes reality a cyber security incident this will result in damage to valuable property and/or to the disruption of valuable processes. What is a tool? A tool is a technique or computer program that an attacker can use to abuse existing vulnerabilities or exacerbate these vulnerabilities. In some cases, a defending party will also use precise tools to discover vulnerabilities and/or as a means of repression when it is the subject of an attack. What is a vulnerability? A vulnerability is a characteristic of a society, organisation or information system (or a part of any of these) that gives a malicious party the opportunity to impede and influence legitimate access to information or functionality or to gain access to information or functionality without authorisation to do so. A vulnerability is the result of human, organisational or technological factors. The resolution of vulnerabilities is a direct approach to the reduction of the risk posed by threats. What is (digital) resilience? (Digital) resilience can be described as the ability that individuals, organisations or societies have to offer resistance to negative influences on the availability, confidentiality and/or integrity of (information) systems and digital information. Digital resilience are also characterised by the continuity of service provisions and efforts to maintain their effectiveness. What is an incident or cyber incident? An incident or cyber incident is an ICT disruption in service provision, as a result of which all or some of the expected availability of service provision has disappeared, and/or unauthorised efforts to disclose, obtain and/or change information. In serious cases, an incident may escalate into a disaster. 15

S E C T I O N 2 Actors 16

SECTION 2 > Actors Figure 2. The clustering of actors Actors THREAT GROUPS (Professional criminals) Terrorists Hacktivists and activists Script kiddies States Private organisations Internal actors TARGETS Citizens RESEARCHERS Cyber researchers In this section, actors and their most important characteristics will be described. An actor is a role that a party plays in the field of cyber security. A party can play a number of roles, which may change gradually too. Actors also utilise each other s capacities. Actors are characterised by a certain intention and a certain profile. In the December 2011 Cyber Security Assessment Netherlands, actors were divided into two categories: threat groups and targets. In the current Cyber Security Assessment, the category of researcher has been added, under which the cyber researcher falls. The internal actor actor has been added too (see Figure 2). In some cases, the cyber researcher may also be regarded as an attacker or target. The actors shown in Figure 2 will be described in subsections 2.1 to 2.9. It is often not easy to see which actor is actually responsible for a cyber security incident: attribution is a complex matter in cyber space. The level of expertise and skills available to threat groups varies from specialists to so-called script kiddies. However, the potential impact of an attack is not always proportional to this expertise: even script kiddies can cause a great deal of damage (see Section 3). Table 1 provides an overview of threat groups and their intentions, primary targets, resources, the volume of attacks and visibility. Citizens have not been included in this overview as they do not form part of a threat group.the resources, volume and visibility columns are the actor characteristics that may fluctuate over the course of time. Table 1. Threat groups Actor Intention (goal/manifestation) Primary target Resources Volume Visibility States To improve geopolitical position (to improve internal position of power) Government bodies, multinationals, citizens (in the case of specific regimes) High Medium Low Private organisations To improve the information position Own competitors High Low Low Professional criminals Monetary gain Financial services and service provision, citizens Average to high High Low to average Terrorists To spread fear, political objectives High-impact targets, ideologically motivated targets Few to average Low High Hacktivists To propagate an ideology Ideologically motivated targets (very diverse) Average Average High Script kiddies To see whether something is possible, for fun All targets Low High Average Cyber researchers To reveal weaknesses, to profile themselves All targets Average Low High Internal actor Revenge, carelessness, incompetence Current and/or former work environment High (easy access to internal resources) Low Low 17

SECTION 2 > Actors The estimates indicated in the table are current at the time of writing this document. Resources include the capacities and tools that are available to an actor or which an actor is able to access in order to carry out an attack. Indirectly, this could also be an indicator of the impact that a threat group could have. When it comes to resources, it is conceivable that actors will interact, with one group procuring knowledge or expertise from another group. The volume column is an indicator of the number of such attacks. However, it must be observed that this is a very rough indication, as actors that benefit from low visibility will operate largely under the radar and, as such, may distort the figures. This makes it very difficult to gain an insight into the number of actual attacks. 2.2 Internal actors Internal actors are individuals such as employees, hired workers, former employees and persons that are present in a company temporarily for all kinds of reasons. Where their intentions are malicious, they can pose a significant threat and be responsible for significant damage. The incidents caused by these actors can be broken down into mala fide actions and mistakes or blunders without mala fide intentions. According to the annual survey conducted by the Computer Security Institute (CSI) 2, a significant proportion of the damage caused by cyber incidents can be attributed to the actions of internal actors. The majority of respondents that took part in this research say that 20 percent of the damage ensuing from all cyber incidents can be attributed to employees with non mala fide intentions and 20 percent to internal employees with mala fide intentions. Finally, the visibility desired is a factor that is linked in part to the intention of the threat group. For a limited number of actors, the visibility of an attack is an important aspect of the attack itself, while others actually prefer to stay out of the spotlight. 2.1 Cyber researchers In this document, cyber researchers are actors that seek out vulnerabilities and/or break into websites and other ICT environments in order to expose the weak security of these environments. The cyber researcher group consists of idealistic researchers, parties that want to make money from their research and university researchers that may or may not have been commissioned to do research by government bodies or other organisations. A cyber researcher is a special actor that is characterised particularly by his intention to improve digital resilience. His actions are geared towards improving the security of the information processes in place in companies and government bodies or digital society as a whole. The actions of the cyber researcher may sometimes also have indirect consequences that characterise him as part of a threat group. Both test tools and the findings of his research could be re-used by groups whose intentions are less well-intentioned. Added to this, companies may sustain damage to their image as a result of the actions of cyber researchers. Cyber researchers themselves may be targets too sometimes. In these situations, the object of the attackers is to obtain research data and information about vulnerabilities. Cyber researchers often use the media as a medium for the publication of their findings and to increase awareness of cyber security. One of the considerations that prompts them to do this is the journalistic right to source protection. 18 The motives of internal actors with mala fide intentions may be dissatisfaction, revenge or frustration. Internal actors may also be bribed or blackmailed, be turned against their organisations and engage in corporate espionage. Internal actors that are employed by a competitor may engage in espionage activities too. Internal actors may also be the target of social engineering, for example, and often form a stepping stone to an attack on an organisation. 2.3 States For the purpose of this document, states are actors that form part of the government of a certain country. A state may be both an attacker and a target. Where a state acts as an attacker, its intention may be to improve its geopolitical or economic position or, for example, to exercise influence on dissident or opposition groups that oppose the prevailing regime. These intentions may take the form of digital espionage amongst other things. Today, the biggest threat to the Netherlands from foreign powers is the threat of digital espionage, directed primarily at government organisations, the private sector, the academic sector, dissidents and opposition groups. This subject was considered in the Lower House of Parliament In February and March 2012 3. According to the answers given to Parliamentary questions, Russia, China and Iran are amongst the various countries that are engaging in (digital) espionage against the Netherlands and Dutch organisations, and other members are active too, but are not identified explicitly. A number of incidents known to the public at large are indicated in Section 3. The details of incidents that are not available in the public domain will not be revealed because of their confidential nature. 2. See, for instance, CSI 2010/2011 Computer Crime and Security Survey. 3. See, for instance, http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstuk- ken/2012/03/22/antwoorden-kamervragen-over-digitale-spionage-van-china-en-rusland/lp-v-j- ooooooo736.pdf.

SECTION 2 > Actors 2.4 Private organisations As an organisation, a private organisation may be an attacker or a target, where it becomes the victim of other attackers. As a target, private organisations are targeted by all of the various types of attacker and are confronted with hacktivists that break in, steal data and carry out DoS attacks, etc. They fear espionage by states and other private organisations and also need to be on guard against professional criminals, because they can use the targeted or accidental exploitation of vulnerabilities to achieve financial gain at the expense of the target. Private organisations can use the internet to gain information about their competitors. In practice, the line between the legitimate analysis and profiling of competitors, in which they remain within the limits of the law, and corporate espionage, in which this line is crossed, is not always clear. The data obtained may vary from low sensitivity information, such as product price lists, to high sensitivity information, such as secret recipes or other information that is protected by intellectual property law. Corporate espionage is usually motivated by financial reasons and is geared towards the improvement of the competitive position of the company in question, amongst other things. Just as in other countries, multinationals established in the Netherlands are also affected by corporate espionage, by both other companies and states too. Usually, the victims of corporate espionage are keen not to publicise this situation. According to the annual report published by the General Intelligence and Security Service (AIVD) 4, the Netherlands is an attractive target for espionage: awareness of the risks of corporate espionage in the Netherlands is not high everywhere and incidents often remain unobserved. Given their confidential nature, it is not possible to give examples of concrete incidents. 2.5 Hacktivists Hacktivists are individuals or groups that are often motivated by a certain ideology and that have the knowledge needed to be able to turn this motivation into actions that undermine cyber security. In the previous period, hacktivists were in the news as a result of the activities of Anonymous and LulzSec, amongst others. Although the knowledge and expertise that hacktivists have will not necessarily be extensive, sufficient tools will be available to them to enable driven amateurs to achieve a great deal. Recent incidents show that the impact of their actions is significant 5. Hacktivists focus primarily on changing webpages, on ddos attacks and hacking, followed by the publication of the data stolen. Hacktivists vary greatly in the ideals they have. For example, according to the manifest of Anonymous 6 its activities are motivated by its wish to achieve the free flow of information, freedom of expression and freedom for internet activities. These ideals manifest themselves, for example, in protests against the antipiracy act, protests against new legislation that results in the deterioration of privacy protection for example, the arrest of fellow hackers or, as was the case at the beginning of 2012, protests against the hosting of a sporting event in a country that hacktivists believe is being governed by a dubious regime (Formula 1 in Bahrain). Hacktivists often form part of autonomous sub-groups that lack any central authority for the organisation as a whole. Splinter parties often join bigger organisations temporarily, in which they are active solely for a certain goal and/or a certain action. There is also the impression that hackers that are not linked to an organisation of this nature align their activities and media communications to groups that are sufficiently well known and enjoy sufficient media attention. For example, the Netherlands has an Anonymous subgroup with its own manifest 7. Bigger groups often work together to achieve maximum effect when seeking to achieve a certain goal. For example, in June 2011, LulzSec announced its collaboration with Anonymous in Operation AntiSec, the object of which would be to attack as many government bodies and banks as possible. 2.6 Scriptkiddies Script kiddies are hackers who have just limited knowledge and who draw on techniques and tools that have been devised and developed by others. These individuals are often young people that have a reasonable, but not in-depth, knowledge of information security. They usually have very little awareness of or interest in the consequences of their actions. They are often motivated by mischief and their desire for a challenge. In the West, script kiddies are increasingly coming into contact with groups that have ideological or criminal motives. In this way they sometimes become hacktivists or professional criminals themselves, at which point they can no longer be referred to as script kiddies. 4. See http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/jaarverslagen/2012/04/19/ jaarverslag-aivd-2011/jaarverslag-aivd-2011.pdf 5. See, for example, www.webvivant.com/feature-hacktivism.html 6. http://www.indybay/org/newsitems/2010/12/09/18666107.php 7. http://www.anonymousnetherlands.nl/manifest 19

SECTION 2 > Actors 2.7 Professional criminals Professional criminals are individuals and groups of individuals that engage in criminal activities as a profession. The primary motivator for professional criminals is financial gain and the internet is an attractive environment in which to achieve this. An example of this is internet banking fraud. As in the past, countries with a high level of computerisation are important victims of professional criminals. Professional criminals are working more and more with so-called information brokers. By engaging the services of these parties, they no longer need to take steps to find out about company infrastructures themselves, but can buy this knowledge to order. The brokers will have gathered this information themselves at an earlier stage or have acquired it via other hackers. It is also becoming increasingly possible to buy ready-made information collections in this way. One example of this is the trade that exists in lists of credit card numbers. 2.8 Terrorists Terrorists can use the internet as a target or as a medium. Terrorist use of the internet as a target must be seen as a threat, for which no concrete incidents are known at the present time. Jihadists have been making extensive use of the possibilities that the internet offers for propaganda, communication and information gathering (about the means necessary to perpetrate an attack, for example) for years now. They even use the internet to exchange expertise and plan attacks. 2.9 Citizens Citizens are particularly vulnerable to digital threats from professional criminals whose interest in personal and financial data is based on financial motives. A very relevant threat for them is the threat that an external cause will result in a breach of their privacy. The ever greater dependence of this group on ICT and the internet, combined with its low security awareness and limited expertise on how to secure their information, make this group very vulnerable. For example, research conducted by Statistics Netherlands (CBS) 8 shows that 95 percent of respondents use the internet and that the use of mobile internet in particular has increased significantly over the past year (from 36 percent of respondents in 2010 to 50 percent in 2011). 8. See http://www.utwente.nl/ctit/cfes/docs/rapporten/2011_11_trendrapport2011.pdf 20

SECTION 2 > Actors 21

S E C T I O N 3 Threats 22

SECTION 3 > Threats A threat is an (indicator of an) unwanted event that could actually happen. A threat can be external (from a hacker, for example) or internal (from a fraudulent employee. If a threat becomes reality, this will result in damage to valuable property, the disclosure of information and/or the disruption of valuable processes. A threat only becomes relevant where an interest (asset) becomes vulnerable and a malicious party intends to attack the interest. Threats are described in the subsections below and are illustrated on the basis of incidents. The first three subsections describe threats that are caused deliberately by individuals (information-related threats, system-related threats and indirect threats). This section will also describe threats in the form of disasters (such as fire, water damage or natural disasters and hardware and software failure). The relevance of each threat for a particular target will be established. This relevance has been estimated by experts and is expressed in terms of high, medium and low. See Appendix 1. 3.1 Information-related threats Information, being confidential and sensitive information in particular, is an important source of financial gain for various threat groups and may also enable them to improve their own position (status, advantages) or to cause damage to others. Another threat is the risk that valuable information will fall into the wrong hands and/or will be disclosed. This subsection will describe the relevant threats and incidents as regards the security of information. 3.1.1 The publication of confidential data The publication of confidential (personal) data about clients, patients or suppliers poses a threat to governments, private organisations and citizens. The relevance of this threat for the government and private organisations is medium and the same relevance applies for citizens too. The number of incidents involving leaked data that were handled by the NCSC shows an upward trend in the period after 1 July 2011. Almost one in five (19 percent) of all incidents handled by the NCSC involved leaked data. Table 2. Incidents handled by the NCSC that involved leaked data 11Q1 11Q2 11Q3 11Q4 12Q1 3 4 11 8 12 The publication of confidential data belonging to government bodies and private organisations In the past, hacktivists often tried to gain attention for their causes by publishing confidential data obtained from government bodies and private organisations. Today, cyber researchers and script kiddies are increasingly publishing confidential data following the completion of their hacking activities. The actions of cyber researchers can contribute to an improvement in resilience. Despite this, their actions are experienced as a threat when they expose vulnerabilities. If an organisation does not take steps to stop a leak promptly, there is a risk that the leak and all of the details of this leak will be published on the internet. However, cyber researchers are not the biggest threat; if they are able to easily gain access (with their limited resources), the question is who else will have (had) access to the data in question? The Leaktober case study In the context of Leaktober, 29 leaks affecting the private sector and government were exposed in October 2011. One of these was a leak in 50 municipal websites, which had consequences for the safe use of DigiD. This action contributed to the realisation that vulnerabilities of this nature can be exploited quite easily and can have major consequences. An important threat may be posed by malicious (former) employees (internal actors). Not only do they have farreaching knowledge of the processes and security measures put in place by their organisations, they also often have extensive system authorisations, which they need to be able to complete their day-to-day activities. Incidents regularly occur in which employees are involved: in 2011, 8 percent of the managers interviewed indicated that their companies had been affected by the theft of client data or company information by (former) employees in the last 12 months. 9 The extent of the consequences ensuing from incidents in which employees were involved depends on the authorisation level and/or status of the employees in question within the organisation. For example, in a sample of incidents in which employees joined forces with individuals involved in organised crime, it was found that the damage sustained was significantly higher when employees at management level were involved in the criminal acts perpetrated. 10 9. ICT-barometer, Ernst & Young, http://ict-barometer.nl/nl/persberichten/54 10. Overview on insider threats from the CERT Insider Threat Center (Carnegie Mellon): www.cert.org/ archive/pdf/12tn001.pdf The publication of confidential data belonging to citizens Privacy-sensitive) data belonging to citizens are often published without a citizen being able to do anything specific about this situation. An example of this is the hacking of the online gaming service Sega Pass at the end 23

SECTION 3 > Threats of 2011. Dutch users of this service were affected after log-in names, e-mail addresses and encrypted passwords were stolen. Worldwide, data belonging to 1.3 million gamers were stolen. In other incidents, very sensitive data were published, as was the case in an incident involving an application for medical laboratory results 11 in April 2012. Citizens have just a limited influence on the storage and removal of data relating to them. Individuals leave digital traces behind in many places. Although this is sometimes deliberate through the use of social media, for example it is often non-deliberate too. For example, when visiting websites or using mobile equipment, surfing behaviour is recorded. This information is aggregated and correlated over a large number of websites, making it possible to build up detailed profiles on individual internet users. The collection of these profiles is a source of information, sometimes achieved through the combination of confidential and sensitive information. These profiles are increasingly being sold and resold. Added to the above, an increasing number of devices and products are being developed that contain sensors and/or wireless identification chips (RFID) that transmit signals. For example, passports and public transport chip cards contain RFID chips of this nature. By picking up these signals at stations and other busy places, it becomes possible to profile people s movements and/or follow them. 3.1.2 Digital (identity) fraud Another information-related threat is digital identity fraud. An identity fraudster adopts the identity of someone else with the object of achieving financial or material gain by doing so. This is referred to as financial identity fraud. 12/13 Financial identity fraud poses an important threat to private organisations and citizens. The relevance of this threat is high for private organisations (financial institutions). The threat of financial identity fraud is also certainly present for citizens too. As a result of the effective safeguards put in place by banks, the relevance of this threat for them has been classified as medium. Every day, online payment transfers are at risk from professional criminals, who use financial fraud to cause damage to both banks and citizens alike in the Netherlands. The total figure for financial fraud in payment transactions in the Netherlands was more than 92 million euro in 2011. More than 35 million euro of this amount involved internet banking and almost 39 million involved skimming fraud. 14 The remaining amount can be attributed to credit card fraud and other forms of fraud. For criminals, personal data are an important tool that enables them to commit financial identity fraud. They use different methods to obtain personal data, including the removal of personal data from computers that have been infected with malware and the reuse of data from earlier data leaks and phishing. Internet banking fraud The damage sustained in 2010 as a result of internet banking fraud represented 0.001 percent of the total transaction volume. In recent years, internet banking fraud has increased, reaching a figure of 35 million in 2011. The total damage resulting from internet banking fraud is shown in the table below. In 2011, there were a total of 7,584 incidents of damage. Table 3. Damage resulting from internet banking fraud 15/16 Year Fraud by skimming payment cards After a decrease in the damage ensuing from skimming (copying) payment cards in 2010, this increased again in 2011. Skimming fraud increased from 19.7 million in 2010 to 38.9 million in 2011 (see Figure 3). This is 0.03 percent of the transaction volume involving payment cards in 2011 (transaction volume for 2011: 138 billion). The Dutch Banking Association [Nederlandse Vereniging van Banken (NVB)] assumes that the attack carried out by criminals in 2011 will have been their last big attack. Besides the traditional magnetic strip, each payment card in the Netherlands today also has an Europay Mastercard Visa (EMV) chip. The exclusive use of this chip makes it more difficult to skim payment cards. Besides the EMV chip, payment cards also have a magnetic strip for use abroad. It is still possible to copy and abuse this magnetic strip. Some banks have announced that they will block all payment cards for use outside Europe. 17 However, attackers are also coming up with new ways to attack the EMV chip on payment cards. As such, there continues to be a race between criminals and the financial institutions. 11. http://www.medicalfacts.nl/2012/04/19/medische-gegevens-duizenden-brabanders-op-straat-viadiagnostiek-voor-u 12. P. Van Schijndel, Identiteitsdiefstal (The Hague 2008), Appendix B/Figure 2 13. Another motive underlies crimes committed on the basis of a stolen identity; the fraud leads a trail to the wrong person. This is referred to as criminal identity fraud. This subject will not be discussed in this report. Damage resulting from internet banking fraud 2008 2,1 million 2009 1,9 million 2010 9,8 million 2011 35,0 million 14. http://www.nvb.nl/home-nederlands/nieuws/nieuwsberichten/betalingsverkeer-veilig-ondanks-toename-fraude.html 26 March 2012 15. Source: Dutch Banking Association (NVB) 16. http://www.nvb.nl/nieuws/2011-03/q_a_internetbankieren.pdf 17. http://webwereld.nl/nieuws/110409/rabobank-blokkeert-als-eerste-pinpas-buiten-europa.html 24

SECTION 3 > Threats Figure 3. Damage resulting from (skimming) fraud involving payment cards, in million euros 45 40 35 30 25 20 15 10 5 0 2006 2007 2008 2009 2010 2011 3.1.3 Digital espionage Digital espionage is geared towards obtaining confidential information that has economic or political value, for example, but may also be motivated by the wish to achieve direct monetary gain. Government bodies, private organisations, dissidents and opposition groups are all potential targets for digital espionage, even in the Netherlands. The General Intelligence and Security Service has been reporting the concrete threat posed by digital attacks since 2007. For instance, more recently, the espionage vulnerability analysis (Kwetsbaarheidsanalyse Spionage (KWAS) conducted in the Netherlands at the beginning of 2011 described the threat of digital attacks as a means for espionage. 18 In the previous period, it was found that the relevance of the threat of digital espionage is high for both government bodies and private organisations. Figure 4. Overview of incidents of digital espionage in the Netherlands and abroad August 2011: Operation Shady RAT : a large-scale attack in which the networks of 72 government bodies and companies were hacked. November 2011: The NITRO attacks : A series of digital attacks on companies in the chemical industry and other industries in the Netherlands. January 2012: Digital attack on Azerbaijani government bodies from Iran and the Netherlands. February 2012: The Sing Digoo affair: Digital attacks on the government institutions and companies in Europe and Asia. March 2012: Russian opponents become the victim of malware that is spread via e-mails that supposedly contain details about a future anti-putin demonstration. March 2012: Various NATO soldiers and diplomats accept friend requests on Facebook from someone presenting himself as a senior American NAVO soldier, by doing which their Facebook data ended up in the hands of third parties. March 2012: Digital attack on the BBC as a result of which satellite signals to Iran were blocked. April 2012: Operation Lucky Cat : digital attacks targeting Japanese, Indian and Tibetan organisations. j u ly A U G SEP O c T NOV DEC JAN FEB MArch A P R July 2011 to date: Digital attacks on the Syrian opposition amongst others, in the Netherlands. September 2011: The Lurid Downloader : A digital attack on government agencies and companies, primarily from Russia and other former Soviet countries. January 2012: The Lords of Dharmaraja : a digital attack on the US China Economic and Security Review Commission. 18. Kwetsbaarheidsanalyse spionage; Spionagerisico s en de nationale veiligheid, AIVD, 2011 March 2012: The Australian government excludes Chinese telecom company because of the risk of digital espionage. March 2012: At the time of escalating tension about the nuclear ambitions of Iran, a spam mail is sent with an attachment called Iran s Oil and Nuclear Situation. March 2012: Malware spies on Georgian citizens and searches on keywords like KGB, FSB and CIA. March 2012: Intimidation and hacking of e-mail accounts of ICC witnesses in the Kenya proceedings. 25

SECTION 3 > Threats For states, digital espionage is an attractive method that they are able to use to obtain information because a wide range of targets can be attacked using resources that are relatively inexpensive and for which the risk of discovery is small. The use of proxy servers and anonymisation services like Tor impede the recognition and attribution of digital espionage. The difficult attribution makes a sound substantiation of the number of cases in which a state actor is involved in digital espionage a precarious matter. Figure 4 on the previous page shows incidents that occurred in the previous period. These illustrate the extent, diversity and international interrelatedness of digital espionage. Several of these attacks are similar to each other in terms of the malware used. This suggests that malicious parties do at least familiarise themselves with each other s attack methods or even exchange data about targets, attack techniques and/or tools. The Netherlands is an electronic transit country, because of which espionage activities are also carried out via the Dutch ICT infrastructure. Digital espionage targeting government bodies There continues to be great interest in confidential government information and attackers are willing to go to considerable lengths to organise and hide the origins of an attack. States are the most obvious actors here. However, it is difficult to attribute digital attacks to specific states because of the technologies used to mask the origin of an attack. Added to this, many attacks are carried out by socalled patriotic hackers. It is impossible or difficult to link these hackers to government agencies, because of which it is always possible to deny state involvement. Malicious parties, including other states and criminals, frequently use targeted attacks to infect systems within government bodies and, by doing this, intercept sensitive information. An example of how this threat is experienced is an Australian one. 19 The Australian government has decided to exclude a Chinese multinational from a tender for the laying of its national fibre optic network. This decision is based on concerns about conceivable ties between the multinational in question and the Chinese government and concerns about cyber attacks from China. No digital espionage by the market party in question had been demonstrated. Protection of the integrity and confidentiality of the national fibre optic network and the information that is transmitted via these networks is of paramount importance to Australia. Digital espionage targeting the private sector Digital espionage is a serious threat for private organisations too. Only a limited insight exists into actual incidents because the companies affected are reticent about sharing information relating to incidents of this nature. The nature of this threat broadly corresponds with digital espionage that targets government bodies. Two variants can be identified: espionage that directly targets intellectual property belonging to a private organisation and espionage that targets information about a client (in the case of the defence industry, for example). In the previous period, attacks have primarily been observed on Dutch companies in the defence, maritime, aviation, space travel and (petro)chemical industries. The case study relating to Duqu malware illustrates how far some actors are willing to and can go to obtain information through the use of digital espionage. Case study The Duqu malware was discovered in October 2011. 20 Because of several similarities between Duqu and Stuxnet, Duqu was initially interpreted as a threat for ICS and SCADA systems. However, this was found to be incorrect. Duqu malware was used to carry out a targeted attack on a limited number of organisations, with the object of collecting data. Due to the limited number of targets, the malware was spread to just a limited extent; as far as the NCSC is aware, just several locations in Europe were infected. Computers became infected after users opened an e-mail attachment a Word document that abused a zero-day leak (TTF leak in win32k.sys) in Windows. This leak has now been resolved with a patch. Digital espionage targeting dissidents and opposition groups Particularly since the break out of protests by the Green Movement in Iran in 2009 and the Arab Spring in Syria in 2011, opposition groups from both countries have regularly been the victims of digital attacks. Attacks of this nature have been carried out in the Netherlands too. This is clear, for instance, from the hacking in January 2010 of the Radio Zamaneh Iranian opposition broadcaster, which is based in the Netherlands, and the Facebook pages of Syrian opposition groups in the Netherlands in 2011. In both cases, the digital attacks consisted of defacements of the sites in question, in which their start pages were replaced with statements in favour of the ruling regime and threats to the opposition. These attacks were claimed by the Iranian Cyber Army and the Syrian Electronic Army respectively. Given the tight government controls on the internet infrastructure in both countries, it is likely that both the Iranian and Syrian authorities are aware of these digital attacks and support and condone these actions at a passive level at the very least. 19. http://tweakers.net/nieuws/80885/overheid-australie-boycot-huawei-wegens-chinese- cyberaanvallen.html 20. http://www.govcert.nl/actueel/nieuws/microsoft-brengt-update-uit-voor-lek-misbruikt-door- duqu-malware.html 26

SECTION 3 > Threats 3.1.4 Blackmail Blackmail is a well-known phenomenon, even in the digital world. In the last half year of 2011 and the first quarter of 2012, this threat became more and more relevant for citizens and private organisations. Blackmail is frequently perpetrated through the use of malware known as ransomware in particular. The ransomware about which warnings were issued by the National Police Services Agency (KLPD) in March 2012 are an example of this situation. Here, ransomware was used to claim that the National Police Services Agency had discovered child pornography on a PC. 21 The owner would only be able to use its PC again once it had paid an amount of 100. In addition to ransomware, criminals are also using more traditional tools, including threats to publish confidential, sensitive information. An example of this situation is the case study in which a Belgian credit provider was blackmailed. 22 In the last half year, an incident has come to the attention of authorities in the Netherlands in which (digital) intellectual property was stolen with the intention of achieving financial gain via blackmail. The Netherlands is not the only country to observe an increase in blackmail situations. Ransomware used to be used primarily in Russia 23, but various European countries are now being affected more by ransomware infections. The following percentages illustrate this fact: for example 9.6 percent of infections in Germany, 4.1 percent in France and Russia just 1.6 percent. he increase observed in the use of ransomware is also supported by the figures provided by Surfright (also see Figure 5). 24 Its observations show that the percentage of ransomware infections as part of overall malware infections has increased rapidly from April 2012, from less than 1% to more than 5%. 3.2 Terrorist cyber threat Jihadists have been making extensive use of the possibilities that the internet offers for propaganda, communication and information gathering (about the means necessary to perpetrate an attack, for example) for years now. They even use the internet to exchange expertise and plan attacks. The role that the internet plays for Jihadists has been described in more detail in a publication published by the General Intelligence and Security Service: Het jihadistisch Internet. Kraamakmer van de hedendaagse jihad. However, the offensive use of digital resources by Jihadists is still in its infancy. To date, just limited concrete intentions have been identified and barely any capacities for the perpetration of Computer Network Exploitation (CNE) and Computer Network Attacks (CNA). Having said this, Jihadists are philosophising on the possibilities of largescale cyber attacks and attempts are being made to pool technical knowledge. However, the technical knowledge that they have currently is not sufficient to enable them to carry out the type of attack discussed. At the current time, no serious threat of an attack by Jihadist terrorists has been observed in cyber space. One important reason for this is that Jihadists currently lack the capacities needed for attacks of this nature. Neither would they currently seem to be willing to make the investments necessary to develop these capacities. Although the possibility to cause damage to physical and digital vital infrastructure through the use of digital resources has been proven with Stuxnet, the ability to do this still lies far beyond the reach of Jihadist organisations. The development of a Stuxnet-like medium (suitable for the achievement of a physical impact) demands significant expertise, various different specialisms and considerable development time. Figure 5. Malware percentage per type over the period from July 2010 to June 2012 35 30 25 20 15 10 5 0% 07 08 09 10 11 12 01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 04 05 06 2011 2012 Zbot SpyEye Mebroot Zaccess/Sirefef Alureon FakeAV Ransom Winlock 21. http://www.politie.nl/klpd/nieuws/120316klpdwaarschuwt.asp 22. http://nos.nl/artikel/368857-hackers-chanteren-belgische-bank.html 23. Trend Micro Smart Protection Network (feedback taken in February 2012) 24. http://www.surfright.nl/en/hitmanpro/prevalence/april-2012 27

SECTION 3 > Threats The current lack of capacities may of course change if talented hackers decide to join forces with terrorists. However, even then, the possibilities are not endless. Although an individual hacker can certainly cause chaos, nuisance and financial damage, the achievement of social disruption through the use of digital resources is a complex operation. A Stuxnet-like virus, which has the ability to cause a disaster in the physical world, is something that requires more capacities than those available to an individual hacker. A second possibility open to terrorists and one that will make it possible for them to increase their power is to hire in the expertise possessed by cyber criminals. However, to date there have been no indications to suggest that this is what terrorists are seeking to do. This may be because they feel that the investments necessary do not weigh up against the expected impact of a digital attack. Added to this, the involvement of an extra party brings with it an increased risk of discovery by the authorities. At the current time, it may be less suitable and less costefficient for terrorists to use a digital attack to create fear and, by doing this, disrupt society; a traditional physical attack may still be a better option for them. Added to this, although Jihadists have proved their possession, in principle, of the capacities necessary to be able to carry out a traditional attack, they would still seem to lack the capacities required for a digital attack. The only concrete examples of cyber activity from Jihadist terrorists are their defacement of websites. These defacements were relatively simple to carry out, as the websites concerned did not usually have the best security in place. In short: although a digital attack can be a very effective way of disrupting an organisation, or even a country if they are used on a very large scale, actions of this nature are not currently expected from Jihadist terrorists. 3.3 The development of cyber offensive capacities by states Given its intensive use of high-quality systems for various purposes, the Dutch defence system depends on reliable internal and external networks and digital technology. As a result, the Ministry of Defence may be vulnerable to digital attacks and the Ministry must take effective action to defend itself against attacks of this nature. In a military conflict, state actors pose an important threat because of the offensive cyber capacities available to them. A number of countries already have these capacities and others are currently developing them. Iran is a good example in this respect. The aspirations of the Iranian military include it claims the ability to engage in digital warfare. The capacities possessed by non-state actors, putting them in a position to cause technological disruption, pose a threat to the Ministry of Defence. In the medium term, various actors with high-quality digital offensive capacities pose the biggest threat to the Ministry of Defence. These actors could organise attacks targeting a specific military target, by doing which they could seriously curtail the freedom of action by the armed forces. Another threat to the armed forces is the lack of knowledge about and insight into the possibilities for digital attacks. In practice, the armed forces and the technological industry that works with the armed forces are subject to continual attempts at digital break-ins. Information in this sector has great strategic and economic value, because of which organisations in this sector are prime targets for digital espionage. For example, in recent years, various renowned American defence contractors have been forced to admit that intellectual property had been stolen as a result of digital break-ins. The armed forces must also be alert to the secret and deliberate addition of vulnerabilities to ICT products that are used for defence purposes. Given the extent to which military action depends on ICT resources, this is a very real threat. Intelligence services will not hesitate to manipulate equipment to be supplied to potential opponents. The complexity and diversity of components used in systems makes this an increasing risk. 3.4 System-related threats For the purpose of this document, system-related threats are threats that are geared towards the disruption of the availability or provision of a service or the operation of an organisation. This may result in a situation in which the service in question becomes impossible to access, is sabotaged and is out of operation for a protracted period of time, or starts to perform other, unintended actions. This subsection will describe the relevant threats that apply as regards the (digital) disruption of systems within the vital infrastructure and (online) service systems. 3.4.1 The disruption of vital infrastructure The Cyber Security Assessment of December 2011 identifies the disruption of ICS and SCADA systems as a relevant threat. In comparison with the last period, we regret to observe that these threats have now become more realistic. Two developments are relevant in this respect: Cyber researchers are showing an increasing interest in security problems in relation to ICS and SCADA systems, prompted in part by the wish to draw attention to these problems. Hacktivists appear to be interested in obtaining knowledge about ICS and SCADA systems and their security. 28

SECTION 3 > Threats In October, a confidential document produced by the Department of Homeland Security in the United States was published on the internet. In this document, entitled Assessment of Anonymous Threat to Control Systems, signs that the Anonymous hacktivist group is showing an increasing interest in ICS and SCADA systems are assessed. In January, after the launch of the NCSC, a number of cyber researchers requested attention for the sometimes inadequate security of ICS and SCADA systems. Most of these reports by cyber researchers were not made directly to the NCSC or the media, but via public channels like Twitter and Pastebin.com. In a number of these reports, the NCSC mediated between the cyber researchers and the organisations in question. The NCSC also circulated two publications 25/26 containing information about the security problems that exist in relation to ICS and SCADA systems. One of the reports mentioned above concerned the operation of a number of pumps that form part of the sewer system operated by the municipality of Veere. The vulnerability in question had arisen as a result of the poor security in place in relation to network connections, combined with the use of easy-to-guess log-in data. In the television programme in which this particular report was made, it was suggested that all of the pumping stations and locks are at risk and that large parts of the country could be flooded before anyone had the chance to notice what was happening. Although the abuse of this access possibility could have resulted in damage and inconvenience, a scenario of this nature was not actually possible. The risks reported by reporting parties were sometimes overestimated in other reports too. Because ICS and SCADA systems form part of the vital infrastructure in far from all cases and also because additional measures are often put in place with the object of avoiding or detecting the unwanted influencing of processes, it is not easy for an outsider to correctly assess how serious a vulnerability is. In January 2012, the specialist S4 conference on the security of ICS and SCADA systems was held, at which cyber researchers discussed vulnerabilities in ICS and SCADA systems. Since this conference, regular Metasploit 27 modules have been published, which can be used to test the security of a range of ICS and SCADA systems. However, malicious parties can also use this information to abuse the vulnerabilities of systems of this nature. 25. NCSC factsheet FS2012-01 https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/ factsheets/beveiligingsrisicos.html 26. Security checklist for ICS and SCADA systems. https://www.ncsc.nl/dienstverlening/expertise-advies/ kennisdeling/factsheets/checklist-beveiliging-van-ics-scada-systemen.html 27. Metasploit is a software package that can be used to carry out security tests 28. www.justice.gov/usao/nj/press/files/cornish, Jason Sentencing News Release.html 3.4.2 Disruption as a result of sabotage System sabotage is a traditional approach adopted for the disruption of processes and organisations. By doing this, systems are deliberately vandalised, with the object of causing as much damage as possible. Sabotage is often linked to terrorists, because of their idealistic motives. However, sabotage is more likely to be based on revenge or mischief, and a frustrated internal (former) employee is one of the actors that could pose this threat. The Shionogi case study illustrates this threat. The Shionogi case study An employee is dismissed from the pharmaceutical company Shionogi without his access rights being withdrawn. He then uses these access rights to cause major damage. After his dismissal, he uses the wireless network at a fast-food restaurant to log in onto the management environment for the virtual servers used by his former employer, after which he removes 88 virtual servers. The offender was sentenced to 41 months imprisonment and to compensate his former employer for more than $ 800,000 of damage1. 28 3.4.3 The disruption of (online) services Online services play an important role in economic transactions. The disruption of these services is a relevant ( medium ) threat for government bodies and private organisations. Everyone will be familiar with the ddos attacks on websites, rendering them impossible to use. Websites that attract a large number of visitors are an attractive target for the spreading of mala fide content too (see the NU.nl case study). Criminals deliberately target popular websites and by doing so they are able to infect a large number of computers in a very short space of time. If an attack is successful, these websites or organisations will be used to infect visitors and the criminals responsible will also have been able to deal a blow to (confidence in) online services. These attacks often put websites out of action temporarily and render them unable to provide online services. No notification obligation applies for this type of incident. Added to this, in many cases, the owners of websites that have been sabotaged will not be subject to the obligation to inform visitors of their exposure to a possible infection. Given this fact, visitors are completely reliant on the sense of responsibility felt by individual website owners, which determines whether the visitor will encounter adequate security measures. 29

SECTION 3 > Threats The NU.nl case study On 14 March 2012, hackers managed to place a malicious code on the popular news website NU.nl. This happened after an NU.nl employee s log-in data for the content management system (CMS) ended up in the wrong hands 29. The object of the attack was to infect visitors to the site with malware. Research has shown that an estimated 100,000 systems were affected 30. This attack tactic is known as a drive-by-download and is not a new development. However, what is unusual is the fact that one of the Netherlands most popular websites formed part of an attack of this nature 31. Sinowal banking malware was installed on victims systems. One of the objects of this malware is to manipulate bank transactions and to intercept log-in data for websites. 3.5 Indirect threats Anyone who uses ICT is largely dependent on the products and services provided by third parties. These third parties could be the producers of applications or hardware components or parties that host hardware and software for the organisation. Attacks on these third parties can have a major impact on the availability, confidentiality or integrity of the client s own services and information. 3.5.1 The (digital) disruption of business operations as the result of an attack on a third party An attack on a third party on which a client s own organisation depends can have major consequences for the client s own business operations. These consequences may even transcend the individual organisation, having an impact on a whole sector or, in the case of DigiNotar, a whole country. A dependence on third parties in relation to (primary) business operations is continuing to increase, partly because of chain dependence (and knowledge about the chain), intertwining, complexity and the outsourcing of business processes and systems. As a result, an organisation is just as vulnerable to a threat as its supplier is (the third party). This threat may arise from an attack on the client s data (which is held by the third party), by an attack on data belonging to others because of which damage is caused to the client s own data or because of the attractive nature of large collections of data held by the third party. In comparison with other threats, the relevance of this threat is low for both government bodies and private organisations alike. The KPN case study, in which KPN stopped issuing certificates as a precautionary measure, illustrates this threat (see the box). Where organisations use certificates issued by KPN, they will be vulnerable to any threat that manifests itself at KPN. The KPN and certificates case study The DigiNotar crisis has increased awareness of dependence on cyber security by third parties. Organisations have become more alert and are analysing their dependencies more carefully. This alertness is borne out by an incident at KPN in November 2011. KPN, one of the four providers of PKI government certificates, temporarily stopped issuing security certificates as a precautionary measure as it was thought that one of the web servers might have been hacked. During an internal investigation, KPN discovered a number of log files, from which it was found that the KPN web server had been compromised four years earlier. After an independent assessment found no further deficiencies, KPN put its infrastructure for the issuing and signing of security certificates back online. Ultimately, the incident did not have any direct consequences for either KPN or its clients. 3.5.2 Disruption as a result of malware infections and spam The disruption of business operations as a result of malware infections and spam poses an important threat to the government, the private sector and citizens. Cleaning a network can be expensive, both in terms of the direct costs involved and the indirect costs incurred as a result of lost productivity. As a result of this, the relevance of this threat is high for the government, private organisations and citizens. The specific infections concerned here are those caused by uncontrolled malware, a type of malware that spreads unstopped, with the object of infecting as many systems as possible and adding them to a botnet. The object is often not the infection in itself, but to create a vulnerability that can be used for other purposes and/or to infect other systems with spam and malware. An extensive malware infection can shut down (parts of) a business network. The NCSC monitors possible malware infections. In 2011 and in the first quarter of 2012, 2,400 reports were received in relation to organisations that form part of the target group for the NCSC. These 2,400 reports ultimately resulted in 47 incidents in which the NCSC provided assistance. Most of these 47 incidents involved malware infections linked to the Conficker and the Zeus Trojans. 29. http://www.nu.nl/media/2763447/korte-tijd-malware-verspreid-via-nunl.html 30. http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident 31. http://www.alexa.com/topsites/countries/nl 30

SECTION 3 > Threats A number of infections with the SpyEye Trojan were observed too. These infections varied from infections on systems belonging to an organisation to infections on public WiFi networks. The fact that many malware infections still originate from Conficker (a Trojan that dates back to 2008) shows that many organisations install just a limited number of software updates and that virus scanners have been installed. Spam is often a result of malware infections and is received relatively frequently in the Netherlands in comparison with other European countries. 32 In the Netherlands, OPTA processes complaints about spam. In 2011, 27,371 complaints were received about spam via Spamklacht.nl, the majority of which related to spam received via e-mail (24,337 complaints). 33 For e-mail this represents an increase of approximately 7 percent in comparison with 2010. 34 Just small shifts can be observed in the type of spam about which complaints were received. In 2011, two fines were imposed for sending spam; these amounted to a total fine of 880,000. Dozens of warnings were sent too. In 2011, a report was published that studied the perspective of citizens of malware infections, focusing specifically on malware that makes the target a member of a botnet. 35 In this report, the cautious estimate is that five to 10 percent of Dutch households had a least one computer that was a member of a botnet in 2009 and 2010. According to observation by SurfRight (see Figure 6) 36, the number of PCs infected is actually higher. The percentage of infected PCs fluctuates at approximately 30% over a period of two years. This observation and the research preceding it are difficult to compare because they measure the extent of PC infection differently. 3.5.3 A hoax as a threat A hoax is a false rumour and/or a fake warning. Examples include fake messages in e-mails or social media that urge readers to inform as many people as possible. Hoaxes are not a new phenomenon, but have gained more attention again recently as a result of a number of incidents. 37 In May 2012, it was reported that 50,000 user names and passwords from Twitter had been published on Pastebin. com. Reports like this would seem to be motivated particularly by sensationalism, recognition and the wish to inflate incidents. A hoax can have major consequences (see the case study on KPN), because of which the relevance of this threat is medium for both the government and private organisations. Hoaxes are often reasonably innocent. For example, in April 2012, Whatsapp was hit by a fake message stating that users would become inactive if they did not send the message to everyone in their address books. 38 Sometimes, users are asked to do something that could cause them problems too. The warning that was circulating on Facebook in April 2012 is a good example of this. It warned users to remove the RockMelt social web browser because it was a virus. 39 There are various websites that provide information about hoaxes, such as http://www.virusalert.nl and http://www.hoax-slayer.com. Figure 6. Number of Dutch PCs infected in the period from July 2010 to June 2012 inclusive 100 80 60 40 20 0% 07 08 09 10 11 12 01 02 03 04 05 06 07 08 09 10 11 12 01 02 03 04 05 06 2011 2012 Infected Not infected AV No AV AV, infected AV, not infected 32. Eurostat in Statistics Netherlands, report: ICT, Kennis en Economie 33. OPTA annual report for 2011 34. OPTA annual report for 2010 and 2011 35. http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2011/01/13/ internet-service-providers-and-botnet-mitigation.html 36. http://www.surfright.nl 37. http://security.onestopclick.com/technology_news/twitter-hack-a-hoax_202.htm 38. http://www.hoax-slayer.com/whatsapp-servers-full-hoax.shtml 39. http://www.hoax-slayer.com/rockmelt-virus-warning-hoax.shtml 31

SECTION 3 > Threats The KPN and Babydump case study After attackers had gained access to the KPN systems in November 2011, a false claim was circulated in February 2012, stating that the KPN log-in data for e-mail boxes had been leaked during the hack. This claim appeared to be true because the data on more than 500 people with a KPN e-mail account had been posted on the website Pastebin.com. This prompted KPN to block access to incoming e-mail for 2,000,000 of its clients for 24 hours. 40 Added to this, these clients were asked to change the passwords for their e-mail accounts. More than 1,000 clients reported that they had been affected by the deactivation of incoming e-mail to KPN. 41 Ultimately, it was found that the client data had actually been stolen via a leak at another website: Babydump.nl. 42 Another false claim stated that log-in data from Ziggo had been leaked. In this situation, it was discovered at an early stage that the client data were incorrect. 43 3.6 Emergencies and disasters Because of the various kinds of dependencies that exist in a chain of information systems, what may seem to be just a minor disruption initially can ultimately become the source of major inconvenience. These disruptions are not always the result of deliberate actions. Fire, water damage, natural disasters or the sub-optimal performance of software or the absence of hardware can have major consequences. 3.6.1 The disruption of business operations as a result of fire, water damage or natural disasters Given the importance of digital services for citizens, the government and the private sector, it is vital for the organisations that provide these services to be resilient in the face of and have controls in place to protect them against these disruptions. The relevance of this threat is medium for the government and private organisations, particularly for companies from the vital sectors. Everyone depends on service continuity and the rapid resolution of disruptions is crucial. However, this is evidently not always easy to achieve. Consideration must be given to both the question of prevention and to the preparation of steps to rectify the situation following an emergency. Continuity management is a subject that has been added to the agendas of an increasing number of organisations. The Vodafone case study illustrates just how important it is to be well prepared for emergencies. The Vodafone case study A fire in business premises next to a building in which Vodafone housed network equipment resulted in the failure of the air conditioning at Vodafone. This caused the network equipment to overheat and stop functioning as it should do. Because of this situation, millions of people in the Randstad conurbation were no longer able to use their mobile phones to make calls, send texts or use the internet on 4 April 2012. The clients affected also included central government, which depends largely on Vodafone for its mobile phone calls. So-called MachinetoMachine communication was affected too, such as TomTom Live and the weather stations used by the KNMI. 3.6.2 The disruption of business operations as a result of the failure of hardware and/or software Despite the careful and professional management of ICT software and hardware and despite the consideration of preventive measures, it is not always possible to avoid incidents and disruptions. The complexity of the interplay between hardware and software components makes it difficult for the average manager to gain an overview. Software updates and the replacement of hardware make an organisation s management processes vulnerable (see the box containing the NS case study). Careful testing and the formulation of fallback scenarios, combined with the structural and extensive testing of alternative procedures, require business continuity planning. Disruptions resulting from the failure of hardware and software are a relevant threat ( medium ) for the government and private organisations. The NS case study On 22 March, traffic control at the NS decided to halt rail traffic after it lost its overview of how trains were running following a series of related ICT failures. These failures occurred after an alternative procedure had been launched following the discovery of a defective hardware component. Although the traffic control systems were produced as multiple-redundant systems, it was found that the automatic switching between these systems was not working well. When traffic control switched to a different system, the software failed to work, because a component was missing. Ultimately, this problem had major consequences for rail traffic. 40. http://forum.kpn.com/t5/news-stream/update-digitale-inbraak/ba-p/16889 41. http://forum.kpn.com/t5/news-stream/kpn-mail-722-000-wachtwoorden-gereset/ba-p/20397 42. http://tweakers.net/nieuws/79953/mailgegevens-kpn-klanten-kwamen-uit-baby-dump-database.html 43. http://www.security.nl/artikel/40802/1/ziggo_gehackt.html 32

SECTION 3 > Threats Table 4. Numbers of threats and incidents in government bodies handled by the NCSC Type 11Q2 + 11Q3 11Q4 + 12Q1 Percentage 11Q2 + 11Q3 Percentage 11Q4 + 12Q1 Malware infection 39 18 57% 30% Information exposure/data leak 6 11 9% 19% Phishing 5 7 7% 12% ddos attack 2 6 3% 11% Possible attack threat 5 5 7% 9% Hack attempt 1 5 1% 9% Targeted attack 3 2 4% 4% Website hack 1 2 1% 4% Identity theft 3 1 7% 2% Other 3-4% 0% Total 68 57 100% 100% 3.7 Threats and incidents handled by the NCSC In the last two quarters, the NCSC handled 57 incidents involving government bodies. 44 Although this figure was lower than the figure for the previous half year, it is still not possible to conclude that the number of incidents is decreasing on a structural basis. Based on the data in Table 4 and Figure 7, it is possible to produce an analysis of threats and attacks within government bodies. Figure 7. The distribution of threats and incidents handled by the NCSC within government bodies 11Q4 + 12Q1 The analysis referred to above shows that malware infections were responsible for the majority of incidents in the period since October 2011, although the number of these incidents fell in comparison with the previous half year. By contrast, information leaks constitute a bigger proportion of incidents, with a percentage of 19%. The number of ddos attacks has increased in comparison with the previous period. Malware infection Information exposure/dataleak Phishing ddos attack Possible attack threat Hack attempt Targeted attack Website hack Identity theft Other 44. The NCSC also supports the private sectors. However, until 1 January 2012, GOVCERT.NL primarily provided assistance to government bodies. Therefore, for ease of comparison, this analysis has been limited to the government. 33

SECTION 3 > Threats 3.8 Threat overview 3.8.1 An estimate The actors presented in Section 2 and the relevant threats described in this section have been used to produce a threat relevance overview. The table below shows which threats are posed by a particular actor and how relevant these threats are for the government, private organisation and citizens targets. This estimate is based on the expert opinion of various experts at the NCSC and experts allied to the NCSC. 3.8.2 Threat perception by citizens Although the experts at the NCSC and experts affiliated to the NCSC have estimated what they consider the threat to be, this does not mean that everyone will actually experience this threat as such. In research 45 conducted into (internet) security amongst citizens, TNS NIPO concluded that the majority (71 percent) have experienced different forms of cyber crime. In a sample, 55 percent of respondents state that they have been the victim of spam on occasion, 62 percent of respondents have been confronted with phishing (18 percent of e-mails ask for bank and credit card data) and 26 percent of respondents have had a virus on their computers. Despite this, more than half of respondents (51 percent) state that they are moderately T A R G E T S THREAT GROUPS States Private organisations (Professional) criminals Government Private organisations Citizens Digital espionage Disruption as a result of malware infection and spam Blackmail Digital espionage Digital espionage Disruption as a result of malware infection and spam Digital (identity) fraud Blackmail Digital espionage Disruption as a result of malware infection and spam Digital (identity) fraud Blackmail The disruption of online services The disruption of online services Terrorists Sabotage Sabotage Hacktivists The publication of confidential data The publication of confidential data The publication of confidential data The disruption of vital infrastructure The disruption of vital infrastructure The disruption of online services The disruption of online services Hoax Hoax Hoax Script kiddies The disruption of online services The disruption of online services Cyber researchers The publication of confidential data The publication of confidential data Internal actors The publication of confidential data The publication of confidential data Blackmail Not an actor Fire, water damage and natural disasters Fire, water damage and natural disasters Failure and/or absence of hardware and software Failure and/or absence of hardware and software Relevance: Unknown/N/A. Low Medium High (explanation: see Appendix 1) 45. As part of its vision report entitled Trends in veiligheid 2011-2012, Capgemini commissioned TNS NIPO to do research amongst citizens of the Netherlands. This research involved 549 respondents aged 18 and older. 34

SECTION 3 > Threats to completely unaware of the dangers of internet use, including cyber crime, viruses, spam and the risks ensuing from visiting fake websites. Statistics Netherlands conducted research 46 into the concerns that citizens have about security on the internet. This research shows that citizens do actually have concerns about security on the internet. Despite threats like payment card fraud, phishing, computer viruses and spam, citizens are most concerned about the abuse of personal data and privacy breaches. Citizens are affected most by computer viruses (24 percent) and spam (almost 70 percent). 46. Statistics Netherlands, report ICT, Kennis en Economie 35

S E C T I O N 4 Vulnerabilities 36

SECTION 4 > Vulnerabilities A vulnerability is a characteristic of a society, organisation or information system or a part of any of these. A vulnerability gives a malicious party the opportunity to impede and influence legitimate access to information or functionality or to gain access to information or functionality without authorisation to do so. Vulnerabilities are the access gateways through which threats can lead to incidents. The resolution of vulnerabilities is a direct approach to the reduction of the risk posed by threats and to the achievement of a reduction in the chance of incidents. A vulnerability is caused by various factors. In this section, a distinction is made between vulnerabilities caused by human and organisational factors on the one hand and technical factors on the other hand. 4.1 Vulnerabilities caused by human and organisational factors The attention this subject is receiving from the political world and media is resulting in the increasing realisation that cyber security incidents can influence the business operations of an organisation. The vulnerabilities that lead to incidents of this nature are the result of user error in part. However, they may also arise further to shortcomings in the structure of an organisation. 4.1.1 Websites and web applications that lack sufficient security This year, incidents involving web applications and websites that lack sufficient security have been the subject of a great deal of attention, just as they were last year. In October 2011, publications issued in relation to Leaktober brought a number of vulnerable websites to the attention of readers. It becomes clear that website and web application security still leave much to be desired in 2012, because of which client data and other sensitive data are at risk. The applicable vulnerabilities can be broken down into four outline categories: Applications that have been provided with insufficient security by users or managers. This includes systems connected to the internet with a standard or easy-toguess user name and password; Standard applications, such as content management systems, for which some of the security updates issued have not been installed; Programming errors in (bespoke) websites and web applications; Application and database injection and Cross Site Scripting (XSS). As part of its response to threats and incidents, the NCSC also handles vulnerability discoveries. When an analysis is produced solely on the vulnerabilities discovered within government bodies, these can be broken down as follows: Table 5. The number of vulnerabilities discovered by NCSC within government bodies Type 11Q2 + 11Q3 11Q4 + 12Q1 Percentage 11Q2 + 11Q3 Percentage 11Q4 + 12Q1 Website vulnerability 7 36 87% 79% Vulnerable system 8 0% 17% Software vulnerability 1 1 13% 2% Network vulnerability 1 0% 2% Total 8 46 100% 100% Figure 8. Distribution of the vulnerabilities discovered by the NCSC within government bodies In comparison with the previous period, the number of vulnerabilities handled by the NCSC has increased greatly since 1 October 2011. This points not so much to an increase in the number of vulnerabilities, but to increased attention for these vulnerabilities by cyber researchers in particular. As a result, the number of reports on vulnerabilities has increased. The figures show that the majority of the vulnerabilities handled involved website vulnerabilities. Website vulnerability Vulnerable system Software vulnerability Network vulnerability 37

SECTION 4 > Vulnerabilities 4.1.2 Access security easy to bypass In many cases, access to websites and other applications is still secured by just a user name and a password. It has become evident that access security is easy to bypass by guessing weak passwords, through phishing and website hacking and because of the re-use of passwords. The use of standard, weak or easy-to-guess passwords Standard passwords are the passwords delivered with a new product, which ought to be deleted or reset after installation. However, this is not always done, which makes it easy for attackers to gain access to systems. Weak passwords are often easy to guess and/or to hack with the tools available. In 2012, it was demonstrated that access to medical systems and ICS and SCADA systems, etc. was possible as a result of this situation. Insufficient awareness of the dangers of phishing Analyses of security incidents and exercises in which the NCSC participated show that phishing continues to be a successful way to establish access data. A success ratio of 30% is feasible. However, a condition for success in this respect is the use of a well-written phishing e-mail, geared towards the organisation in question. This means that information systems that are accessible via the internet and do not use strong authentication (two-factor authentication, for example) are particularly vulnerable. An example of the vulnerability of webmail More than one-third of the 679 government domains 47 investigated by the NCSC use a webmail service 48. Just one webmail service is protected on the basis of a passcode, which points to the use of a token for authentication. All of the other webmail services investigated are protected on the basis of just a user name and password. In the latter case, access to the e-mails of government officials can be gained via a phishing action, for example. Insufficient security when storing user data The exploitation of vulnerabilities in poorly secured websites is another approach that malicious parties can use to obtain user names and passwords. Particularly where insufficient security is in place in relation to user names and passwords, hackers will often find it easy to discover these passwords. Once obtained, the (encrypted) passwords are published in an increasing number of cases and are shared via fora and Pastebin. A good example of this situation is the LinkedIn hack of June 2012. gain for hackers. This is because it appears that users use the same user names and passwords for different services. Given this fact, once the data for one service have been retrieved, the data for other services will be known too. As such, a break-in in a webshop or on an association website may result in the possibility to gain access to confidential e-mail messages. 4.1.3 Software that has not been updated Software is vulnerable in the period before the software supplier makes an update available and will continue to be vulnerable until this update (or patch) has been implemented. Analysis by the NCSC shows that updates are often not installed or are not installed quickly enough. Vulnerabilities that had not been identified yet (0 days) were abused by malicious parties in a few cases only. Research into vulnerabilities by the NCSC The NCSC regularly publishes security advice in respect of software vulnerabilities. Analysis of known incidents by the NCSC shows that this advice is not always observed. The NCSC has done research into the version numbers used by web servers and content management systems for more than 1,600 domains within the.nl Top Level Domain (TLD). This research looked at domains for government organisations and domains for the 1,000 most popular sites, amongst other things. In the research mentioned above, a number of web servers were encountered, based on Apache web servers and Microsoft Internet Information Services (IIS). It was found that 8 percent of the Apache web servers used an outdated version that had not been supported for more than two years, while 8 percent were up-to-date. It was also found that it was not possible to establish whether all of the updates available had been installed for 84 percent of the servers. This is difficult to establish remotely for the IIS systems in particular. The research showed that at least 1% of the IIS systems were outdated. Twenty-eight percent of the content management systems studied were found to be outdated. 4.1.4 Third party recording of user surfing habits User surfing habits is being recorded and analysed on an ever greater scale by all kinds of parties, resulting in privacy vulnerabilities. The recording of surfing habits is referred to as tracking and can be used for a number of purposes, including customised advertising and website optimisation. Use of the same user data for different services Sometimes, obtaining log-in data for what would appear to be unimportant services actually turns out to be a great 47. Source: overheid.nl 48. http(s)://webmail.<domein>.nl 38

SECTION 4 > Vulnerabilities The NCSC studied the top 1,000 most popular Dutch websites 49 for advertising and the presence of 70 different tracking mechanisms offered by third parties. The research also included the use of first party cookies. These are used for tracking, but for other purposes too. As expected, no advertising was encountered on websites for the public sector, with the odd exception. Advertising was encountered on more than 46 percent of the 1,000 websites studied. In line with earlier findings, it is found that tracking is used on almost 90 percent of the websites studied. Besides this, the detailed results obtained from the research conducted show that tracking is also used on websites for hospitals, for example. This group is surprising given the fact that data relating to surfing habits on these sites is placed in the hands of third parties and these data may be privacysensitive. On almost 80 percent of the 1,000 websites studied, one or more cookies are created when visitors access the home page for the organisation. 4.1.5 The use of mobile devices and consumerisation BYOD is a trend under which organisations permit the use of personal devices for the processing of business data. Here, the individual user is responsible and liable for these devices and uses these devices for both personal and business purposes. Consumerisation is a trend that is closely linked to BYOD. Consumerisation means that ICT is increasingly being developed on the basis of consumer requirements. Where organisations are concerned, BYOD and consumerisation mean that they need to respond even better to the requirements of the mobile employee. Research shows that almost 75 percent of the organisations studied allow company resources to be accessed by devices that are not subject to administration by the ICT department. 50 These developments are impacting on the information security in place in organisations and it is becoming necessary to adopt a different approach to access to business data from endpoints and to how these data are saved. Research 51 shows that the security policy adjusted 49. http://www.alexa.com, site last visited on 1 April 2011 51. Trend Micro (January 2012) Trend Micro Consumerization The cause and effect of consumerization in the workplace : http://uk.trendmicro.com/imperia/md/content/uk/about/consumerization/ consumerization_exec_summary-en.pdf 52. PricewaterhouseCoopers (March 2012): Information Risk Maturity Index : http://continuitycentral. Com/BeyondCyberThreats.pdf 53. Trend Micro (February 2012) Mobile Consumerization Trends & Perceptions : http://www.trendmicro. com/cloud-content/us/pdfs/rpt_decisive-analytics_mobile_consumerization_trends_perceptions.pdf 54. Ad.nl (February 2012) Akkoord grote techbedrijven over privacy bij app-gebruik : http://www.ad.nl/ 50. ipass (November 2011) The ipass Mobile Enterprise Report : http://info.ipass.com/forms/mobileenterprise-report ad/nl/5595/digitaal/article/detail/3197387/2012/02/23/akkoord-grote-techbedrijven-over-privacy-bijapp-gebruik.dhtml to reflect the above is often ignored by employees and that awareness of the risks ensuing from data leaks is low. 52 It is also found that almost half of the organisations see a correlation between the increase in the number of mobile devices and the number of security incidents that occur. 53 Consumerisation more than technology Consumerisation is not just a technological issue. Social media can be an effective tool for organisations, but employees must understand how to utilise them as safely and effectively as possible. Research shows that more than half of the organisations studied have experienced an increase in malware attacks. Because of this, the growing use of consumer applications like Facebook, LinkedIn and Twitter is prompting organisations to update business and communication policy. User naivety when releasing personal data People are increasingly publishing their own personal data via social networks without actually realising the consequences that this will have. Examples include photos, address details, hobbies and information about the work they do. Users are often unaware that personal data are collected, stored and analysed. The need to use a mobile application or service often outweighs the need for a sense of security or concerns about privacy. Naturally, the organisations that collect these personal data must accept some responsibility here too. They must clearly and unambiguously describe how the data collected are used. A change is happening here, under pressure from various organisations. 54 4.1.6 Security responsibility for Big Data The size of data collections, often referred to as Big Data, is continuing to increase, making them a magnet for malicious parties that want to use these data. Big Data collections are often unstructured and frequently have low requirements as regards confidentiality and integrity. Information obtained as the result of the combination of a large number of data elements is often subject to different sensitivities and requires the renewed determination of confidentiality and integrity requirements. Where this does not happen, it is likely that insufficient procedural and technological safeguards will be in place to protect this information. In contrast to traditional information systems, the use of big datasets is often data-driven: the starting point is a large unstructured dataset, which is studied to ascertain which information can be distilled from it. As a result of this, it is not possible to determine in advance which level of confidentiality and integrity the information obtained will have. This may mean that the access rights that users have are (too) extensive. 39

SECTION 4 > Vulnerabilities Traditionally, the information system owner is responsible for the security of an information system and, as such, of the data too. By adopting a data-oriented approach, the role of the information system owner in this area shifts to the background in favour of the role played by a data owner. The security responsibility of this functionary will be independent of the location of the information in a specific information system. However, although the responsibility of the information system owner is limited in many cases in practice, no data owner is identified. In cases like this, no one is responsible for data security anymore, because of which the level of data security is inadequate. 4.1.7 Insufficient detection of irregularities In practice, it is found that some organisations lack sufficient insight into the status of their own infrastructure and all of the (information) systems present in this infrastructure. As a result, incidents and vulnerabilities are not discovered promptly and/or are only discovered by accident. This situation makes it easy for malicious parties to retain their presence and cause a great deal of damage without detection for a protracted period of time and it is not possible to put appropriate compensatory and repressive measures in place in good time. 4.2 Technical vulnerabilities Mistakes are made when designing, implementing and configuring technology. These mistakes make it possible for attackers to penetrate systems or influence how these systems work. These vulnerabilities manifest themselves in both hardware and software. 4.2.1 Achieving a reduction in vulnerabilities in standard software When describing vulnerabilities in standard software, the NCSC draws on the internationally accepted standard based on Common Vulnerabilities and Exposures (CVE). CVE makes it possible to document vulnerabilities in a standard manner and to uniquely identify vulnerabilities in standard software. For this reason the CVE database is ideal for the performance of analyses of the vulnerabilities that have become known. In this subsection, a number of striking results will be described on the basis of an analysis of this database. This will include the use of a Common Vulnerability Scoring System (CVSS). The analysis will be based on known products that are used by the target groups for the NCSC. The number of vulnerabilities in standard software Figure 9 shows how the number of vulnerabilities in standard software has developed over the last 12 years. The number of vulnerabilities discovered grew until 2006 and then started to decrease, following a brief period of stabilisation. More than half of the vulnerabilities found are relatively easy to exploit An analysis of the vulnerabilities that became known between July 2011 and March 2012 shows that 55% of them are relatively easy to exploit. More than 90 percent of the vulnerabilities found can be exploited remotely More than 90 percent of the vulnerabilities analysed can be exploited by an external network. The other vulnerabilities require physical access to the platform or access to the local network. More than one-third of the vulnerabilities could potentially result in a full breach of security aspects In more than one-third of the vulnerabilities known, successful exploitation results in a full breach of security aspects. In this situation, malicious parties can: Figure 9. Number of vulnerabilities in standard software over the last 12 years 7000 6000 5000 4000 3000 2000 1000 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 40

SECTION 4 > Vulnerabilities render the system completely unavailable (availability); make changes to each file in the system (integrity); gain access to all of the files in the system (confidentiality). The expectation is that even should the number of known vulnerabilities start to decrease, these would continue to be an important source for future incidents. The most important reason for this is that organisations do not or cannot resolve these vulnerabilities. Vulnerable software The CVE database also registers in which software each vulnerability is present. When doing this, a distinction is made between operating systems and applications. An analysis of 2,870 vulnerabilities that were registered in the period July 2011 up to and including March 2012 shows that many of the vulnerabilities can be found in browsers and browser additions. The top 10 includes Google Chrome, Mozilla Firefox, Apple Webkit, Opera and Apple Safari. Besides this, the number of vulnerabilities that feature in the CVE database may have been influenced by the encouragement to find vulnerabilities in specific software products. Based on the number of vulnerabilities known, the expectation is that outdated browsers and browser additions, like Adobe Flash Player, will continue to be interesting targets in 2012. Mala fide or infected websites make it possible to attack large numbers of users in a short space of time, as illustrated by the recent attack on NU.nl, for example. These types of vulnerability are popular, but suppliers frequently resolve them in new versions of their products. One way of limiting the success of attacks of this nature is to install updates as quickly as possible. If systems are not patched fully, this may be due to carelessness, but legitimate reasons may play a role too. For example: the continuity of service provision would be jeopardised if a patch is installed that has not been tested in full. 4.2.2 Large variation in the turnaround time when resolving vulnerabilities There is a big difference in the time that different suppliers need to resolve vulnerabilities in their products. Depending on the vulnerability, it may be necessary for a number of suppliers to issue updates to resolve a vulnerability in some cases. This is the case, for example, in open source products that support various Linux distributions and offer each Linux distribution in a separate package. To illustrate the response to vulnerabilities, we have analysed the actions of suppliers for two different vulnerabilities. The examples show that some suppliers issue an update almost immediately, while others may take 200 days to do so, because of which the vulnerability remains throughout this period of time. Two examples are shown in Figure 10. The first example relates to the resolution of a vulnerability in the SSL protocol. 55 The other example pertains to a vulnerability in the Apache web server, which was discovered halfway through last year. 56 4.2.3 Vulnerabilities for mobile malware Malicious parties are still looking for ways to quickly and easily make money from mobile devices. At the current time, vulnerabilities for Android smartphones are increasing, but the explosive growth expected has not manifested itself. Two reasons can be identified for the increase observed: Android is an open platform and, at the current time, is the operating system used most frequently Figure 10. Number of days before a supplier resolves a vulnerability in a product 100 80 60 40 20 0% 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 200 210 CVE-2011-3192 (Apache-webserver) CVE-2011-3389 (SSL-protocol) Number of days 55. CVE-2011-3389 (CVSS-score: 4,3) 56. CVE-2011-3192 (CVSS-score: 7,8) 41

SECTION 4 > Vulnerabilities for smartphones 57 and its market share would still seem to be growing. 58 However, it should also be observed that vulnerabilities on other platforms, such as the iphone, are being abused too. 59 Android updates are issued regularly, but are not available directly to individuals who own a device equipped with Android in most cases. The producer of the device is responsible for ensuring that the updates published are modified to make them suitable for each of the devices issued by it. In a number of cases, these updates will also be modified for providers that issue a branded version. It appears that the producers of most Android devices only make new versions of Android available for a certain device for a limited period of time. In some cases, devices are even sold with an operating system for which new versions are no longer being produced. In cases like this, a device will be vulnerable and will continue to be vulnerable to all known and newly discovered vulnerabilities in that specific version of the operating system. Two possible scenarios for making money with mobile malware are: sending text messages to so-called premium rate services. The majority of this malware can be classified as fake applications that present themselves as free versions of legitimate applications; 60 intercepting the authentication data required when transferring money to accounts belonging to malicious parties. This scenario is continuing to evolve too and is making more and more use of mobile applications. 61 The expectation is that this will become more popular in the future because an increasing number of users are doing their finances on mobile devices. Zitmo (Zeus-inthe-mobile) and Spitmo (SpyEye-in-the-mobile) are two known families of mobile malware that are used for this purpose. 62 In the research referred to above, more than six million public RSA keys were compared. In four percent of cases, it was found that there were similarities between these keys that pointed to the absence of the use of a good random generator. In this situation, it becomes possible to identify the corresponding secret keys. The research conducted also shows that RSA is far more sensitive to this vulnerability than other algorithms are (ElGamal, DSA and ECDSA, for example). If an organisation has outsourced key generation, as may be the case for SSl certificates, it will not be possible for it to ascertain whether a good random generator has been used to generate the keys without actually repeating the research done. 4.2.5 Vulnerabilities inherent to the design of protocols Vulnerabilities will not necessarily be limited to the implementation of a security protocol; the protocols themselves may be vulnerable too. Sometimes, a new version of the protocol will be created in order to resolve a vulnerability. In other cases, it will be necessary to redesign the protocol in question. The SSL/TLS protocol is an example of a vulnerable protocol that has been improved through the introduction of a new version of the protocol. The SSL 2.0, 3.0 and TLS 1.0 versions are vulnerable to attacks in which attackers are able to tap the secure connection. The newer and more secure TLS 1.1 and 1.2 versions, which have been available for some time now, were barely in use at this time. Service providers only put measures in place after a Proof of Concept (from Beast) had been presented. Not all of the software solutions used by end users are able to handle the latest version at the moment, because of which end users would experience disruptions if service providers were to block or deactivate the possibility to communicate using the old protocol. 4.2.4 Vulnerabilities as a result of implementation errors Despite the strength of cryptographic algorithms, errors may be introduced during their implementation, which will result in vulnerabilities. In 2011, researchers discovered that a good random generator had not been used for key generation in implementations of the strong RSA algorithm, because of which there were similarities between the keys. 63 The RSA algorithm uses a public key and a secret key. As these terms suggest, the public key is shared with others, while the secret key must remain secret. Someone who has a public key that is similar to another public key will be able to calculate the corresponding secret key, which will also make it possible to decrypt or manipulate encrypted communication, for example. 57. Symantec (October 2011) The Motivations of Recent Android Malware : http://www.symantec.com/ content/en/us/enterprise/media/security_response/whitepapers/motivations_of_recent_android_ malware.pdf 58. Gartner (November 2011): http://www.gartner.com/it/page.jsp?id-1848514 59. Nu.nl (March 2012) Overheid waarschuwt voor lek in iphone- en ipadbrowser : http://www.nu.nl/ internet/2769765/overheid-waarschuwt-lek-in-iphone-en-ipadbrowser.html or http://www.waarschuwingsdienst.nl/risicos/actuele+dreigingen/softwarelekken/wd-2012-026+ Kwetsbaarheid+gevonden+in+Apple+iOS+Webkit.html 60. F-Secure (published in February 2012) Mobile threat report Q4 : http://www.f-secure.com/weblog/ archives/mobile_threat_report_q4_2011.pdf 61. Tweakers.net (September 2011) Malware voor Android onderschept tan-codes internetbankieren : http://tweakers.net/nieuws/76789/malware-voor-android-onderschept-tan-codesinternetbankieren.html 62. McAfee (September 2011) Spitmo vs Zitmo: Banking Trojans Target Android : http://blogs.mcafee. com/mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android 63. http://eprint.iacr.org/2012/064.pdf 42

SECTION 4 > Vulnerabilities For a number of years now, it has also been known that the SSL/TLS protocol is vulnerable to DoS attacks because it contains an asymmetry in the amount of computer power required. If a client uses a connection secured with SSL/TLS to establish a connection with the server, the server will need to do approximately 15 times as many calculations as the client. By establishing a large number of SSL/TLS connections, an attacker can cause a server overload. With the publication of the thc-ssl-dos tool, which exploits this vulnerability, abuse becomes easy. Although the published version of thc-ssl-dos only works against servers that support SSL renegotiation, the underlying vulnerability is present on all services that use SSL/TLS. The achievement of a real solution to this vulnerability will require a redesign of the SSL/TLS protocol. Incidentally, there are no indications to show that thc-ssl-dos is actually being used for DoS attacks at the current time. 4.2.6 Vulnerabilities in GSM and satellite telephony Known vulnerabilities in a system may also apply to other systems. The weaknesses present in the GSM protocol and the impact they have on the security of satellite telephony are examples of this. In recent years, a number of vulnerabilities have been identified in the GMS protocol (2G), a popular protocol that is still being used by mobile phones. As already demonstrated previously, it is possible to use a cheap tapping device to receive, decrypt and play an encrypted conversation. In December 2011, it was shown that a person s mobile identity can be stolen and, by doing this, calls can be made that are charged to the individual in question. At the same time, a website was launched 64 in which the differences per operator are made clear per country, together with the possibility of identity fraud, tapping and following mobile phone users. This map shows that there are major differences in the measures that operators put in place in different European countries. Like GSM, satellite telephony has been under fire; this started in February 2012 when A5-GMR-1 and A5-GMR-2, which are the secret encryption algorithms used for satellite telephony, were hacked by two German researchers. 65 The algorithms used for satellite telephony are very similar to the A5/2 encryption algorithm, which was also used for GSM, which made it possible for the researchers to tap calls. The users of satellite telephony would seem to be an interesting target group for attackers. Given the fact that the equipment necessary for attacks of this nature costs approximately 100, this brings it within reach of a large group of attackers. 4.2.7 Vulnerabilities in SCADA and ICS The number of vulnerabilities discovered in SCADA and ICS systems has increased again since the Cyber Security Assessment of December 2011. In the last quarter of 2011, ICS-CERT issued almost 40 new alerts and advisories that described one or more vulnerabilities. 66 In the first quarter of 2012, this had increased significantly, to almost 50. This increase can be explained in part by the increased interest in SCADA and ICS. On the one hand, this prompts cyber researchers and other interested parties to identify and publish vulnerabilities, while on the other hand, they are finding it increasingly easier to find ICS-CERT. Incidentally, it is not possible to convert the ICS-CERT alerts and advisories into a corresponding number of vulnerabilities, because a publication sometimes describes various (similar) vulnerabilities. The potential impact of a vulnerability will depend very much on the type of system being operated. Added to this, accompanying (security) measures, or the actual absence of these measures, may determine the potential seriousness. For this reason, it is difficult to make generic pronouncements on how serious vulnerabilities are. Tools that can exploit vulnerabilities in ICS and SCADA systems have been available in the public domain for some time now. In the previous period, a significant number of exploits that target ICS and SCADA systems were added to the existing list. In addition to specific software for industrial control systems, much generic software is also used in the ICS and SCADA domain. This software consists primarily of computer operating software, but also databases and web technology. The useful life of (and support provided for) this generic software is usually shorter than the useful life envisaged for industrial systems. Sometimes, insufficient consideration is given to the need to replace and also update this generic software. 64. http://www.gsmmap.org 65. Benedikt Driessen and Ralf Hund http:/gmr.crypto.rub.de/ 66. ICS-CERT dealerts and advisories are published on: http://www.us-cert.gov/control_systems/ics-cert/ archive.html 43

S E C T I O N 5 Tools 44

SECTION 5 > Tools When carrying out attacks, threat groups use a number of tools, such as botnets, phishing for spam, ransomware and exploit kits. The last of the tools that will be covered in this document tools used to hide someone s identity are used for both well-intentioned and malicious purposes. 5.1 New method for successfully sending spam In recent years, spam filters have become ever better at recognising and marking spam. For this reason amongst others, spammers are continually looking for improved ways to make sure that they are still able to deliver spam successfully. One method that is also becoming an increasing problem for government is the one in which webmail environments are broken into. Once this has been achieved, automated spam can be sent via the account of a legitimate user of the webmail environment in question, in an effort to bypass spam filters. Webmail is hacked as follows: a number of users in an organisation receive what appears to be a valid e-mail from the helpdesk, asking them to log onto the webmail environment. This e-mail will contain a URL that is similar to the URL for their own webmail environment, but is actually a fake webmail environment that has been created by the attacker. The user logs in at this URL, by doing which he reveals his user name and password to the malicious party. The attacker then uses the stolen data to log onto the real webmail environment, from which it sends large volumes of spam. This approach to spamming can have major consequences for the organisation affected. Sensitive data may be leaked via the webmail. Added to this, an attacker could use stolen account data to penetrate deeper into the organisation, because the attacker will find it easier to present itself as an employee employed by the organisation. Finally the e-mail servers affected may end up on a blacklist. If this happens, it will become almost impossible for the organisation to send e-mails to third parties. In the first two months of 2012, the Netherlands experienced a relatively high percentage of phishing e-mails (one in every 153 e-mails in the Netherlands in February 2012 as opposed to one in every 358 worldwide). 67 5.2 The race to hide identity Users leave traces behind regardless of the type of digital communication used. As not everyone wants to do this, tools are used to prevent this as much as possible. The same technologies can be used to hide an individual s identity. In some cases, the same technologies are used for conflicting purposes. For example, the police use them to ensure that they remain undetected while performing internet investigations. However, they are also used by suspects, enabling them to hide themselves from the police better. In a number of countries, the use of these technologies could mean the difference between life and death when expressing an opinion. Different methods and technologies can be used to protect someone s (internet) identity. For example, certain software can be used to make it possible to communicate anonymously via the internet or offer services anonymously, such as via Tor 68 and i2p 69, while other software makes it possible to make payments in a reasonably anonymous manner (BitCoin). These tools are becoming increasingly more user friendly, which means that it is becoming easier for a broader public to use them. An example of this type of software is the Tor browser bundle. 70 Although the technologies mentioned above may be used as tools, they may also be targets. Just as virtually all software contains vulnerabilities, so software designed to hide a user s identity may contain vulnerabilities too. Recently, a researcher exposed various vulnerabilities in UltraSurf. 71 However, this researcher is also an important developer of Tor, a product with similar functionality. 5.3 A new type of ransomware Some viruses are designed to try to force someone to pay money to rid himself of a virus infection. These viruses, also referred to as ransomware, hijack a computer by encrypting documents and photos, for example, because of which these documents and photos are no longer accessible. The virus states that a certain amount of money must be paid before the encryption is removed. Usually, the victim will not receive a solution that works after payment has been effected. 67. https://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_02_ 2012.en-us.pdf 68. www.torproject.org 69. http://www.i2p2.de/ 70. https://www.torproject.org/projects/torbrowser.html.en 71. https://blog.torproject.org/blog/ultrasurf-definitive-review Ransomware has been a known phenomenon for years now. In recent months, a number of new types of this computer infection have emerged. A new variant is able to infect the master boot record (MBR) of the hard disk, by doing which it stops the operating system from starting up. 45

SECTION 5 > Tools 5.4 Exploit kits are being refined further In comparison with 2010, a shift is observable in the way in which virus infections happen. Many viruses are still being sent by e-mail and many computers are infected when users visit websites (which have often been hacked). In this situation, vulnerabilities in the browser are abused. So-called exploit kits are increasingly being used in relation to the last of these categories. Instead of exploiting a vulnerability, an exploit kit is used to try to exploit an extendable series of vulnerabilities. The specific vulnerabilities used will depend on the operating system applicable, the browser, the browser plugins and the location of the user. One example is the spread of the Sinowal virus via the NU.nl website. 72 In this attack, visitors to the website were also directed to an exploit kit, making it possible to install malware on the visitor s computer. The use of exploit kits makes it easier for a criminal to independently infect systems without any in-depth technical knowledge. Therefore, more criminals are able to use these exploit kits. In criminal circles, exploit kits are sold as ready-made software packages. They often already include useable exploits and new exploits can often be added as separate modules when these new exploits become available. The Blackhole and the older Phoenix exploit kit were popular exploit kits in 2011 and the first quarter of 2012. The effectiveness of exploit kits is evident from the number of malware infections achieved. In the second half of 2011, a significant increase in the number of Dutch PCs infected with malware was observed. 73 Whereas 4.6 of every 1,000 computer systems had been infected in the first quarter of 2011, this number had increased to 13.1 of every 1,000 computers in the fourth quarter. This increase has put the Netherlands above the worldwide average, which was 7.1 of every 1,000 computers in the fourth quarter of 2011. The increase observed is primarily due to the EyeStye Trojan, which is responsible for 16 percent of infections in the Netherlands. It is unclear why this malware has spread so quickly in the Netherlands in comparison with other countries. 5.5 Major botnet involving Apple computers discovered In the last half year, platforms that were not previously regarded as interesting targets have now also been included in botnets and the methods used to direct botnets have become more advanced. In April 2012, Flashback, 74 the first big botnet consisting of Mac computers was discovered. Where, until recently, Mac users imagined themselves relatively safe against malware attacks, it has now been found that more than 500,000 Mac computers formed part of this botnet. What was striking here was that more than 95 percent of the machines infected could be found in just four countries (the United States, Canada, the United Kingdom and Australia). 75 The increased market share applicable for Mac underlines the fact that professional criminals will abuse all popular systems. Apple has issued a patch for its operating system, which can be used to clean an infected machine and resolve the vulnerability abused. Not only have Mac computers now become the target of attacks too: a new way of directing a botnet of mobile devices has now been developed as well: by text message. The TigerBot mobile malware is directed in this manner and because it is difficult to filter the sending of text messages, it is also hard to block communication between the botnet administrator and infected phones. This makes it difficult to adopt the normal approach used when seeking to combat botnets, which involves finding the location of central servers from the botnet infrastructure, when mobile malware is used. Besides this, the functionality of Tigerbot mobile malware is comparable to that of other mobile malware. 72. http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident 73. http://www.microsoft.com/security/sir/archive/default.aspx 74. news.drweb.com/show/?i=2341&lng=en&c=14 75. http://www.security-technologynews.com/news/500000-apple-mac-flashback-trojan-infections.html 46

SECTION 5 > Tools 47

S E C T I O N 6 Resilience 48

SECTION 6 > RESILIENCE This section will focus on digital resilience in Dutch society and on the initiatives that companies, the government and citizens launch with the object of increasing these digital resilience. Digital resilience can be defined as the ability to resist negative influences on the availability, confidentiality and/or integrity of (information) systems and digital information. Added to this, digital resilience involve the continuity of service provision and the achievement of the continued effectiveness of service provision. In this context, information systems must be regarded as the whole of people, resources, processes and procedures, including the operation of that whole. Organisations are becoming increasingly more reliant on complex, dynamic information system chains. Amongst other things, this complexity entails that the impact of influences on these chains is unpredictable: minor influences may result in major disruptions, while major influences sometimes have barely any impact at all. Given the above, security measures for this chain of systems must be considered in interrelationship with each other, taking into consideration the unpredictable nature of the situation. When doing this, a balance must be found between the performance of the information systems on the one hand and controls against disruptions on the other hand. An important characteristic here is the ability of systems to adapt. The initiatives included in this section will be considered on the basis of five themes: norms, guidelines and standards, knowledge and awareness, enforcement and detection, information exchange and collaboration and, finally, cyber security research and new methods. In general, generic initiatives will be described that apply for society as a whole, a certain sector or a group of organisations. The initiatives described have been developed on the basis of open sources and information that has been made available by various parties; they certainly do not constitute an exhaustive list of initiatives. The initiatives referred to above will be described with the primary object of the initiative in mind. Wherever possible, this object will be described in the heading in question. In most cases, no information is available yet about the effectiveness of the measures that underlie the initiatives and/or this is difficult to estimate. 6.1 Norms, guidelines and standards Norms, guidelines and standards on cyber security help organisations to improve the security of their information 76. https://www.ncsc.nl/dienstverlening/expertise-advies/kennisdeling/whitepapers/raamwerkbeveiliging-webapplicaties.html 77. http://www.rijksoverheid.nl/documenten-en-publicaties/kamerstukken/2011/10/12/kamerbrief-lekkenin-een-aantal-gemeentelijke-websites.html systems and networks. By doing this, they increase resilience in organisations and Dutch society as a whole. 6.1.1 Step-by-step plan and checklist offer municipalities prospects for action after Leaktober Immediately after the revelation of the leaks in 50 municipal websites during the Leaktober incident in October 2011, the NCSC published a factsheet for the municipalities in question, which contained a step-by-step plan and checklist. The factsheet contains a summary of information that had already been laid down in the Framework for Web Application Security [Raamwerk Beveiliging Webapplicaties] 76 several years earlier. Based on the factsheet, the municipalities affected, their suppliers and hosting parties carried out a self-evaluation and took steps to put improvements in place. The self-evaluations were assessed by Logius and the NCSC. The improvements resulted in a significant improvement in security in sub-areas of information provision by the municipalities. As a spin-off of this action, the security awareness on the part of municipalities, their suppliers and hosting parties has improved too. 6.1.2 The ICT security guidelines for web applications increase security level Further to an explanation submitted by the cabinet to the Lower House of Parliament 77 the NCSC formulated the ICT security guidelines for web applications in collaboration with various parties after Leaktober. By doing this, a clear need in the market has been met. Various organisations, including those that are not DigiD users, now use the ICT security guidelines for web applications to improve the security of their web applications. When developing the ICT security guidelines for web applications, intensive collaboration took place between all kinds of parties. These parties included government parties like the NCSC, Logius, the Government Audit Department [Rijksauditdienst], the quality institute for Dutch munici-palities [Kwaliteitsinstituut Nederlandse Gemeenten (KING)] and the Association of Netherlands Municipalities [Vereniging van Nederlandse Gemeenten (VNG)], commercial parties involved in information security and auditing, collaborative arrangements like OWASP Nederland and various organisations that use DigiD. The guidelines mentioned above have been used to establish a DigiD connection norm. This norm is based on the ICT security guidelines for web applications and has been adopted by the Minister of the Interior and Kingdom Relations, in consultation with Logius, the Government Audit Department and the NCSC. Registered EDP auditors use the norm to carry out audits on the basis of which they assess the security of the applications belonging to organisations that use DigiD. Based on this assessment, Logius can decide whether or not to permit the use of DigiD. 49

SECTION 6 > RESILIENCE 6.1.3 Cookie directive to protect internet users Based on European directives from 2009, it will no longer be possible to place or read out data including cookies on a computer without the prior permission of the computer user in the future, with just a few exceptions. The user must be informed sufficiently and also be given the opportunity to refuse. Thus, in the future, the search and surfing habits of consumers may no longer be used for matters like targeted advertising (behavioural targeting). The relevant provision from the European directive has been included in the amended Telecommunications Act [Telecommunicatiewet], which was passed by the Lower House of Parliament in May 2012. 6.1.4 Information security baseline for the civil service In 2011, steps were taken to formulate a system of norms for the information security baseline for the civil service [Baseline Informatiebeveiliging Rijk (BIR)]. In 2012 or 2013, this baseline will start to apply to every part of the civil service and will replace five interdepartmental systems of norms and the individual baselines currently in place in the civil service. The object of the baseline is to make it possible to choose the level of security appropriate, to increase confidence in other departments networks and to promote the sharing of information between departments. Where necessary, departments and services will be able to add additional norms to the information security baseline for the civil service, in line with their specific security requirements. At the time of writing this report, the information security baseline for the civil service has not been approved yet, because of which it is still not compulsory. 6.2 Knowledge and awareness The incidents that occurred in the last year (2011) show how important it is to continue to strive to achieve increased knowledge of and awareness concerning cyber security. Various initiatives are focusing on increasing this knowledge and awareness in a broad set of target groups. Four approaches that we will single out here are the citizen perspective, increasing awareness about ICS and SCADA systems, achieving increased awareness through red teaming and increasing awareness of espionage. 6.2.1 Citizens have a limited awareness of cyber security A knowledge and awareness of cyber security are vital for the protection of citizens personal and financial data. The government and private parties are jointly responsible for ensuring that this happens, because of which various campaigns have been launched within government and in the private sector, with the object of making them aware of the risks ensuing for users of ICT and the internet. Examples are the digiskilled and digisecure [Digivaardig en Digiveilig] 78 programme organised by the ECP for the information society, the safe banking campaign 79 aunched by the Dutch Banking Association and the look-after-your-bank-card [pas op je pas] campaign 80 being run by the Dutch Banking Association and the police. The NCSC is also focusing its attention on improving awareness on the part of citizens, which it does through the provision of online advice via the Dutch National Alerting Service [Waarschuwingsdienst], 81 for example. The campaigns referred to above are designed to improve digital skills, confidence in ICT and security awareness and to reduce the chance of phishing and, as such, to improve digital resilience. Research by the University of Twente 82 shows that some citizens are aware of the need to secure their computers against negative external influences and to put the corresponding technical measures in place, as shown in the figure below. Despite increased information provision on the subject of cyber security, the extent to which citizens put measures in place has not increased significantly, but has certainly not decreased either? The set of measures researched by the University of Twente can be regarded as a minimum set of security requirements. It significantly increases the threshold above which a party will become a victim of security incidents. However, this does not alter the fact that attackers are now in an ever Figure 11. Measures designed to protect internet access (% of internet users) No measures Don t know Virus scanner Firewall Spam filter Pop-up blocks By setting automatic updates Anti-spyware program Checking who I e-mail personal data to Regularly changing passwords 5% 12% 2% 4% 47% 46% 38% 33% 31% 30% 2010 87% 82% 71% 70% 54% 54% 62% 54% 56% 53% 2011 6% Porn filter 5% (Source: University of Twente/Center for e-government Studies, Trendrapport Computer Internetgebruik 2011) 78. See www.digivaardigdigibewust.nl 79. See www.veiligbankieren.nl 80. See www.pasopjepas.nl 81. See www.waarschuwingsdienst.nl 82. University of Twente / Center for e-government Studies, Trendrapport computer-internetgebruik 2011 50

SECTION 6 > RESILIENCE better position to bypass these basic measures. Although this is particularly possible to observe in targeted attacks, the expectation is that this will also increasingly be the case in random attacks on (large groups of) citizens. 6.2.2 Awareness of ICS and SCADA continues to be a problem The NCSC has published a number of important guidelines for the security of ICS and SCADA systems, thereby committing itself wholeheartedly to the promotion of awareness of ICS and SCADA systems. The security measures recommended for ICS and SCADA systems are general measures in part and include the organisation of password management, patch management, defence-in-depth principles and monitoring. Added to this, a number of specific measures are described, such as the isolation of ICS and SCADA systems from other systems and the internet as much as possible. 6.2.3 Red teaming increases awareness of cyber security Over the course of the last year, the National Coordinator for Counterterrorism and Security and the NCSC unit worked together to develop red teaming activities for organisations, because of which it enabled organisations to increase resilience. Red teaming is being used more and more and is proving to be an effective method to use to improve security and also increase awareness of information security. In this method, a team puts itself in the shoes of an attacker, which it does with the object of putting the security of a system or organisation to the test. Red teaming can be applied to physical security and information security or to a combination of both. In red teaming, a targeted action will be carried out with a predetermined object in mind. This might be to identify documents that contain sensitive information or to secure hazardous substances. In the digital field, the method actually continues where penetration tests and vulnerability analyses stop. 6.2.4 The General Intelligence and Security Service increases awareness of espionage The General Intelligence and Security Service provides information to company and government bodies that may find themselves confronted with espionage. As part of this, their attention will be drawn to vulnerabilities in relation to communication resources and digital systems and the consequences of digital espionage. 83. See https://www.aivd.nl/onderwerpen-0/spionage-0 The ultimate object of a targeted attack will be to obtain sensitive information. For this reason, preventive strategies geared towards the identification and subsequent protection of confidential information are crucial. To support this process, the General Intelligence and Security Service has developed the espionage vulnerability analysis (KWAS) 83 in collaboration with the Directorate General for Safety and Security Dutch (DGV). In this analysis, points of reference are provided, which organisations can use to identify confidential information and formulate recommendations with the object of securing this information, so that resistance to digital espionage may improve. 6.3 Administrative enforcement, detection and combating The administrative enforcement, detection and combating of cyber security is a broad playing field and is not restricted by country boundaries. A large number of organisations play a direct or indirect role in this playing field, which focuses on every aspect of cyber crime and forms of crime on the internet in a broad sense. In this subsection, a number of relevant developments and initiatives will be identified. Although some of these initiatives were launched prior to the present reporting period, they have not been indicated before and have been included here because of their importance for controls. 6.3.1 The Team High Tech Crime at the National Crime Squad expands The Team High Tech Crime (THTC) at the National Crime Squad (Dienst Nationale Recherche) focuses on the detection and combating of cyber crime. In the previous period, it initiated the recruitment and selection of 30 new staff. 6.3.2 The Team High Tech Crime arrests professional criminals and other threat groups Just as their counterparts abroad do, the Team High Tech Crime regularly arrests professional criminals and other actors from the threat group. A recent example is the 17- year-old KPN hacker who was traced through the use of digital detection methods. This hacker has now confessed and the court has released him on parole pending his trial. Another example is the arrest of four Dutch suspects by the Team High Tech Crime. These arrests were part of an international FBI campaign in which 19 suspect members of Anonymous were arrested. The suspects are responsible for hacking various websites and are members of Antisec NL, an alleged splinter group of Anonymous. 6.3.3 The Team High Tech Crime commits itself to the detection and combating of child pornography on the internet Child pornography is a form of crime in which large-scale use is made of the internet to create and maintain networks for the distribution and sale of pornographic material. 51

SECTION 6 > RESILIENCE Although the detection and combating of child pornography does not contribute directly to digital resilience in society, combating child pornography is one of the spearheads of the Team High Tech Crime, and for this reason it deserves a place in the Cyber Security Assessment Netherlands. Further to the international Descartes research project, the Team High Tech Crime launched various research projects designed to detect and combat child pornography. These research projects focus on the role that digital networks play in the distribution of child pornography. In these research projects, a special search program is used to systematically search the pseudo-top-level domains of the Tor network for the presence of child pornography. 84 Following this, the Team High Tech Crime gained access to a number of sites and secured and destroyed the material encountered there. It was also made very clear that the police had been present on the site. 6.3.4 Cyber crime is also being combated at a European level After Europol had created the Analytical Workfile (AWF) in 2009, with the object of developing and improving a crossborder information position, Europol is now also directing its attention towards cyber crime by founding the European Cybercrime Centre (EC3). This centre will be based in The Hague from the beginning of 2013. Europol is opening the centre with the object of coordinating the European battle against online crime. This includes identity theft, child pornography and credit card fraud. 6.3.5 Two new notification duties make it compulsory to report privacy breaches In May 2012, the Upper House of Parliament passed the new Telecommunications Act. This new Act includes a stricter notification duty in relation to data leaks. 85 The Act focuses solely on the providers of electronic networks and obliges these parties to report data leaks to OPTA. In addition to this Act, initial consultations have taken place on a legislative proposal on the use of camera images and the notification duty in relation to data leaks. 86 In contrast to the relevant part of the Telecommunications Act, this notification duty will apply to all processers of personal data and data leaks must be reported to the Dutch Data Protection Authority [College Bescherming Persoonsgegevens (CBP)] and to the parties affected. The report must describe both the leak in question and the measures put in place from a legal, technical and policy-related point of view. The legislative proposal on the use of camera images and the notification duty in relation to data leaks gives the Dutch Data Protection Authority the power to impose fines (only) when companies and organisations do not report a data leak. The legislative proposals mentioned above are instruments that can be used to make it possible to maintain the confidentiality of data. Although their primary object is to safeguard transparency for the parties concerned, their indirect object is to encourage companies to improve their security. As such, these legislative proposals are entirely in line with the system of measures that the private sector and government will be expected to put in place to protect sensitive data. As such, these measures may indirectly contribute to an increase in controls. Besides the above, specific sectors are subject to notification duties over and above those referred to already. This situation applies for banks and listed companies, for example. 6.3.6 The combating of botnets encouraged The dismantling of the Bredolab botnet in October 2010 seems to have encouraged services in other countries to familiarise themselves with the legal limits of their investigative powers. A significant number of botnets have been taken down in the last half year and have been reported on in the media. This involved public-private collaboration in most cases. This made it possible to gather sufficient knowledge and the authority necessary to be able to intervene effectively in the operation of the botnet. For example, in March 2012, Microsoft carried out Operation B-71 in March 2012, in collaboration with private organisations and investigation services, in which the Command & Control servers for a number of Zeus botnets were deactivated. 87 In a similar operation, Kaspersky deactivated the Hlux/Kelihos botnet. 88 Due to the flexibility of the botnet infrastructure tackled, the effectiveness of operations of this nature is debatable. For example, although the Command & Control servers are deactivated in these operations, the botnet software still remains on the machines infected. The botnet administrators then install new Command & Control servers, resulting in the administrator being able to take over control again. 89 Given this fact, efforts to combat botnets should not focus exclusively on the deactivation of the central servers, but should also be approached on the basis of a coordinated approach designed to disrupt the interim layers used (where these are hosted in the Netherlands) and tackle the infections experienced by (Dutch) consumers. As such, when dismantling Bredolab, a warning was issued to the victims of infected machines, also explaining how they could clean their computers. 84. See, for instance, http://www.sbs6.nl/programmas/undercover-in-nederlands/over 85. See http://www.eerstekamer.nl/behandeling/20110622/gewijzigd_voorstel_van_wet/f=/viqjihbe44v5.pdf 86. See http://www.rijskoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2011/12/20/ wijziging-van-de-wet-bescherming-persoonsgegevens-voor-verruiming-gebruik-camerabeeldenen-invoering-van-meldplicht-bij-datalekken/c-documents-and-settings-nsenff-ad-ooo-desktopcamera-pers-5641a-wetsvoorstel-gebruik-camerabeelden-en-meldplicht-datalekken-versieconsultatie-en-advies-dec-11.pdf 87. Securitywatch.pcmag.com/security/296250-botnets-takedowns-a-game-of-whack-a-mole 88. securitywatch.pcmag.com/malware/295967-kaspersky-crowdstrike-take-down-kelihos-v2-botnet 89. Securitywatch.pcmag.com/security/296250-botnets-takedowns-a-game-of-whack-a-mole 52

SECTION 6 > RESILIENCE A number of Dutch Internet service providers (ISPs) and other market parties have now united in the botnets working group. This working group forms part of the internet security platform (Platform Internetveiligheid) created by ECP EPN. 90 The participants in the working group have laid down agreements in a covenant. In this working group last year, the cabinet proposed that a clearinghouse be set up to tackle the infections experienced by clients. This would make it possible for ISPs to inform clients that they have been infected and help them to disinfect their computers and keep them clean. As such, the clearing house is an important link in the detection and disinfection of botnets. 6.4 Information exchange and collaboration National and international information exchange and collaboration are important resources that can be used to improve digital resilience in the Netherlands. Collaborative arrangements promote the exchange of crucial information, the determination of joint strategies and the achievement of a more effective response to incidents. A large number of collaborative arrangements exist in the field of cyber security and new initiatives are being launched on an almost daily basis. Although a number of new initiatives will be included in this subsection, the list will not be exhaustive. 6.4.1 The National Cyber Security Centre commits itself to collaboration The NCSC, which was created in January 2012, is and will continue to be active in national and international networks of government organisations and in the private sector. Last year, collaboration with various parties was extended. The NCSC has committed itself wholeheartedly to collaboration between public and private organisations and is currently participating in the Information Sharing and Analysis Centers (ISACs), coordinated by CPNL.NL. This collaboration is also being reinforced through the affiliation of the ISAC to the NCSC. A new development for the NCSC is its intensive collaboration with liaisons from various organisations. This includes representatives from the General Intelligence and Security Service, the National Police Services Agency, the Ministry of Defence, the Dutch Forensic Institute, the Public Prosecution Service, OPTA and private parties. Besides creating the NCSC, the National Cyber Security Strategy (NCSS) also resulted in the foundation of the Cyber Security Council in mid 2011. The council formed the prelude to the creation of the NCSC and is responsible for advising government and private parties on relevant developments in the field of digital security. The council sets priorities for the tackling of ICT threats, considers the need for further research and development and then establishes the best way to share this knowledge with the collaborating public and private parties. 6.4.2 An ICT security function harmonises security in the civil service At the end of 2011, a foresight study was carried out on the organisation of an ICT security function with the object of implementing a harmonised ICT security policy for the entire civil service. This study is part of the compact civil service programme, the object of which is to make government smaller and stronger. The foresight study provides an insight into the way in which the information security function is organised in the civil service. The study also provides an insight into which needs still exist and which new needs will arise as a result of the organisation of the compact civil service and an ICT infrastructure. At the time of writing this report, the study was at the assessment stage. The aim is to give substance to the elements proposed in the exploration during the course of this year. 6.4.3 Combating cyber crime: achieving a balance between collaboration and enforcement To be able to combat cyber crime effectively, the Team High Tech Crime is working continually to improve collaboration with various parties (including ICANN, RIPE-NCC and SIDN). Traditionally, organisations like this are not used to and do not benefit from government interference. For this reason, the development of forms of collaboration that are practicable for all of the parties involved is a long-term investment. All of the parties involved have a strong need for clarity about the limits of what the police are able to ask and what other parties are able to offer. An example in which this clarity is achieved is the order in which the Public Prosecution Service orders RIPE-NCC to freeze IP ranges. This order was issued following a request for assistance. Following this, RIPE-NCC brought a test case, the object of which was to establish whether an order of this nature is lawful and valid. In time, the object is for this to result in case law, so that all of the parties know where they stand. 6.4.4 Electronic Crime Taskforce improves the combating of financial fraud The National Police Services Agency, the National Public Prosecutor s Office [Landelijk Parket], the banks and the Dutch Centre for Protection of the National Infrastructure (CPNI) are working together in the Electronic Crimes Taskforce (ECTF), also referred to as the banks team. 90. http://www.ecp-epn.nl/werkgroep-botnets 53

SECTION 6 > RESILIENCE The ECTF focuses primarily on financial malware, phishing attacks and other cyber-crime related incidents targeting the financial sector. Participants exchange information, by doing which they improve their information position and analysis possibilities, put forward proposals on interventions and raise concrete (research) proposals for the effective combating of cyber crime. The ECTF is based at the National Police Services Agency. 6.4.5 Municipal ICT security service coordinates security subjects The Association of Netherlands Municipalities (VNG) and the quality institute for Dutch municipalities (KING) have expressed the intention to create a municipal ICT security service. This service will be responsible for handling incidents that arise in municipalities and ensure that coordination is provided where security problems arise. In this situation, it will not be necessary for all of the municipalities to address these problems individually; this municipal body will be able to take on this task instead. The idea is to publish a proposal on the creation of this service before the summer of this year. The committee of the Association of Netherlands Municipalities is still to decide on the above. 6.4.6 OPTA chooses broader approach when combating cyber crime Although OPTA has the powers necessary to take enforcement action by imposing fines or orders subject to a penalty for non-compliance or taking administrative enforcement action, it believes that it would be more effective to use a whole range of formal and informal regulatory and detection action rather than just imposing fines. OPTA developed the approach outlined above in 2010 and developed it further in 2011. This approach focuses on the provision of information, on prevention and on publicprivate collaboration with Internet service providers (ISPs) and hosting providers. Just as in 2010, OPTA had contact with various parties in 2011, with the object of drawing their attention to their responsibilities as regards the activities of their clients. As a result, the spreading of malware is now observed at an earlier stage in many cases and is brought to a halt by the parties themselves. 91 OPTA applies the same approach to spam sent abroad from the Netherlands. 6.4.7 Interpol commits itself to international collaboration The Netherlands has been a member of the Interpol European Working Party on IT Crime (EWPITC) since its creation. This collaboration makes it possible to formulate joint strategic objectives with a large number of other countries. Another interesting development is the future realisation of the Interpol Global Complex for Innovation in Singapore. This facilitates worldwide collaboration in the field of cyber crime, which could take the form of the posting of liaisons from National High Tech Crime Units to this complex, for example. 6.5 Cyber security research and new methods Research institutions are increasingly turning their attention to research projects that have the ultimate object of improving information security. The government plays a coordinating role here, aligning initiatives to each other and to the need in the market. Finally, the private sector is developing initiatives that contribute to the achievement of this object too. Four examples of initiatives that illustrate the various categories outlined above follow below. 6.5.1 The government encourages cyber security research On the initiative of the Ministry of Security and Justice, the Ministry of the Interior, the Ministry of Defence, the Ministry of Economic Affairs, the Ministry of Agriculture and the Ministry of Innovation and in collaboration with the Netherlands Organisation for Scientific Research [Nederlandse Organisatie voor Wetenschappelijk Onderzoek (NWO)], a tender is due to be issued for cyber security research in due course. 92 An amount of 6.3 million is available for this research. Individual companies and consortiums of knowledge institutions and companies will be able to submit research proposals for this research this year and projects will be organised for long-term and short-term research. The tender referred to above is in line with the promotion of research as referred to in the National Cyber Security Strategy and will be given shape as part of so-called top sector policy. The cyber security research forms part of the security roadmap under the High Tech Systems and Materials 93 top sector and the ICT roadmap. 6.5.2 Companies certify designers, developers and testers An increasing interest is being shown in the use of ethical hackers when testing the security aspects of systems. Various organisations provide methods, best practices and certifications for security testers, by doing which they are endeavouring to improve security testing. An (arbitrary) example of these organisations is the Council of Registered Ethical Security Testers (CREST). 94 It offers both a certification and a training programme. This type of initiative results in improved controls in the longer term, by delivering products that have been developed on the basis of an awareness of security. 91. http://jaarverslag2011.opta.nl 92. See, for instance, http://www.nwo.nl/nwohome.nsf/pages/nwop_8t3elr 93. See http://www.rijksoverheid.nl/onderwerpen/ondernemersklimaat-en-innovatie/investeren-in-topsectoren 94. See http://www.crest-approved.org 54

SECTION 6 > RESILIENCE 6.5.3 Cost models to identify the cost of cyber security arious research projects have attempted to identify the costs of cyber crime and cyber security. This insight is important if it is to be possible to make well-considered decisions when putting protective measures in place. Research projects of this nature are usually subject to a considerable amount of criticism. This is sometimes because of the method used, sometimes because of the data used and sometimes because of both. The recent report published by TNO is a clear example in this respect. 95 An insight into costs requires the use of the appropriate method and the proper recording of the costs involved at source. Back in 2009, TU Delft commissioned OPTA to do research on a model that would make it possible to estimate the economic costs of spam and malware. 96 In the research conducted, a methodical framework was developed, making it possible to systematically list economic costs and estimate the level of these costs. The further development and application of this framework is desirable. 6.5.4 The General Intelligence and Security Service supports Network Security Monitoring The General Intelligence and Security Service is promoting the use of security measures for the protection of data that are important for national security or to maintain social life. In this framework, the General Intelligence and Security Service is contributing to the implementation of the National Cyber Security Strategy through the deployment of specific expertise in different areas. One of these activities involves gaining an understanding of the nature and extent of digital attacks that could damage national security, an example of which could be digital espionage by state actors. The General Intelligence and Security Service also provides targeted support to specific organisations (within the government and the private sector) when monitoring (information) systems. It does this by checking network traffic from and to organisations for traces of targeted digital attacks. This research makes it possible to identify signs that point to the impairment of security measures and inform national security bodies accordingly, enabling these bodies to put corrective or preventive measures in place. By doing this, they are in a position to increase resilience for critical (information) systems. digital attacks. The General Intelligence and Security Service joins forces with commercial parties and universities in relation to the above. 6.6 The military forces improve digital resilience The Cyber Taskforce has been operational within the Ministry of Defence since 1 January 2012. This taskforce operates on the basis of four lines of operation: (defensive and offensive) operations, information, education and training and research and development (R&D). Based on the development of the vision on cyber operations (Uitwerking visie op cyberoperations) of June 2012, efforts are being made to achieve the foundation of a Defence Cyber Expertise Centre [Defensie Cyber Expertise Centrum (DCEC)] at the end of 2013 and the creation of a Defence Cyber Command [Defensie Cyber Commando (DCC)] at the end of 2014. At a national level, collaboration is intensive. A liaison from the Cyber Taskforce, who will also represent the Military Intelligence and Security Service (MIVD), has been posted to the NCSC. At an international level, various initiatives for intensive collaboration have been launched. Recently, the so-called note for joining for the Cooperative Cyber Defence Centre of Excellence (CCD COE) was signed. This summer, the Netherlands is placing a legal officer in the policy branch of the CCD COE in Tallinn. Within NATO, the Netherlands is participating in the Multinational Cooperation Development Model 2 (MNCD2), an initiative of the NATO Consultation, Command and Control Agency (NC3A). A number of cyber tools are being developed as part of this initiative. Added to this, observer status has been gained for the Multinational Experiment (MNE) 7 initiative launched by the NATO Allied Command Transformation (ACT). For cyber security, the cyber situational awareness and Legal tracks are being observed in particular. The intensification of cyber information, which is due to start in 2012, will be implemented with the creation of nine additional positions at the Military Intelligence and Security Service. Added to this, a senior university lecturer will be appointed to a position at the Dutch Defence Academy (NLDA) in the near future. The General Intelligence and Security Service also strives to strengthen and extend expertise and (inter)national collaboration geared towards recognising and combating advanced 95. See http://www.tno.nl/content.cfm?context=overtno&content=nieuwsbericht&laag1=37&laag2=2& item_id=2012-04-10 procent2011:37:10.0 96. Source: Damages from internet security incidents, dated 10 December 2009, TU Delft 55

Appendices Appendix 1: Bandwidths for cyber threats 57 Appendix 2: Case studies 58 Appendix 3: Vulnerabilities and incidents handled by the NCSC 62 Appendix 4: Abbreviations 64 Appendix 5: Definitions 66 56

A P P E N D I X 1 > B A N D W I D T H S F O R C Y B E R T H R E A T S To be able to establish the various threat levels applicable in the Cyber Security Assessment Netherlands, incidents and threats are assessed on the basis of the low, medium and high criteria. Since no strict dividing lines apply for these bandwidths, fluctuations may arise when describing and classifying incidents and trends. The assessment criteria used for cyber threats in the Cyber Security Assessment Netherlands follow below. Relevance of the Threats: Low No new trends or phenomena are recognised that pose a threat. (Sufficient) measures are available for mitigation of the threat (to remove the threat). No appreciable incidents of the threat occurred during the reporting period. Medium New trends and phenomena are observed that pose a threat. (Limited) measures are available for mitigation of the threat. Incidents have occurred outside the Netherlands and there have been several minor incidents in the Netherlands. High Clear developments have been observed that facilitate the threat. Measures have a limited impact, because of which the threat continues to be significant. Incidents have occurred in the Netherlands. 57

A P P E N D I X 2 > C A S E S T U D I E S In this reporting period, there have been various case studies relating to cyber security incidents. Several of these case studies are indicated below, including examples of ICT problems and ICT vulnerabilities in critical infrastructures and the impact that incidents of this nature can have. SCADA systems and examples of incidents involving malware infections will be described too. Leaktober, during which various leaks were exposed in websites, including government websites, will be explained as well. Finally, examples will be given of leaks involving personal and sensitive data, which were obtained through hacking. Vulnerabilities in infrastructure There are various different critical infrastructures in the Netherlands, such as water supplies, telecom supplies and the electricity grid. Incidents involving infrastructures of this nature can have a major impact on society. Various examples of this type of incident follow below. Vodafone As a result of a fire at the business premises in which Vodafone had housed network equipment, Vodafone clients in the Randstad conurbation were unable to use their mobile phones to make calls, send texts or use the internet on 30 April 2012. So-called Machine-to-Machine communication was affected too, such as TomTom Live and the weather stations used by the KNMI. The clients affected included central government, which depends largely on Vodafone for its mobile phone calls. This incident made it clear that physical incidents involving critical infrastructures, such as the fire at Vodafone, can have a big impact on the availability of digital services. When organising an Information Security Management System (ISMS), it is important to bear physical incidents of this nature in mind. It is also striking that the national impact of the incident outlined above extended beyond a fire in a medium-sized, unmanned network exchange. Seven hundred mobile telephone masts were connected to this network exchange, which had ceased to work because of the fire. With the traffic flow being absorbed by other masts, extra traffic arose as well as failures in other parts of the network. So, a relatively small junction proved to be a Single Point of Failure for a large area. This is alarming from the following point of view: an object of this nature could be an easy target for cyber crimes (whether this be a physical or cyber attack), which could result in the achievement of major impact with the minimum of effort. Finally, a discussion has arisen about the continuation of services. Vodafone failed to offer any alternative or back-up options. Power cuts in Rotterdam In the first few months of 2012, the municipality of Rotterdam experienced four major power cuts. In one of them, 50,000 households were left without power. The power cuts were caused by short circuits, maintenance work and defects and, according to the power companies in question, were completely unconnected. The loss of power had consequences for citizens and various organisations, which were forced to bring their work processes to a halt. In some cases, organisations had to be evacuated. The power cuts also had consequences for the subway system and trams, which ceased to operate, and for road traffic, because traffic lights stopped working. In one incident, the Rotterdam The Hague Airport and the Erasmus Medical Centre were amongst the organisations in the area affected, but were able to switch to emergency supplies without experiencing any problems. During various power cuts, the 112 emergency number was difficult, if not impossible, to reach. One of the power cuts took place during the incident in which the Vodafone service was down. The unavailability of Vodafone mobile telephone connections prevented the network manager Stedin from obtaining information, because of which it took longer to resolve the situation. Prorail, ICT failure On 22 March, traffic control at the NS decided to halt rail traffic after it lost its overview of how trains were running following a series of related ICT failures. These failures occurred after an alternative procedure had been launched following the discovery of a defective hardware component. Although the traffic control systems were produced as multiple-redundant systems, it was found that the automatic switching between these systems was not working well. When traffic control switched to a different system, the software failed to work, because a component was missing. Ultimately, this problem had major consequences for rail traffic. This incident confirms once again that (infrastructural) facilities in our society are becoming more and more reliant on ICT and that any ICT-related disruptions can have major consequences. This example also illustrates the importance of the structural and extensive testing of alternative procedures as part of business continuity plans. 58

APPENDIX 2 > CASE STUDIES ICS and SCADA At around the turn of the year, an anonymous tweeter published a number of tweets in which he warned about the insufficient insecurity in place for ICS and SCADA systems. As these tweets only indicated IP addresses and did not include any further specifics, it was not easy to analyse these tweets. It was found that a small number of these cases did indeed relate to ICS and SCADA systems. The rest of the addresses related to other ICT systems, most of which did not contain any vulnerabilities. In February 2012, a public broadcaster broadcast a programme about vulnerabilities in the ICS and SCADA systems used by a Dutch municipality. One of these systems is supplied and administered by a supplier on behalf of the municipality. This system was used for sewage pumping and an easy-toguess user name-password combination was in place. The press reported that this vulnerability could be used to flood the Delta area. This did not happen. In February 2012, the NCSC also received reports about ICS and SCADA systems for two swimming pools and a sports centre. It was possible for unauthorised parties to access these systems via the internet and there was a chance that they would be able to operate these systems if they were actually to gain access. Based on these reports in part, it became clear that the often inadequate security of ICS and SCADA systems had been put in the spotlight in detail for the first time in this reporting period. Spreading malware via poplar websites In the reporting period, there were several instances in which it was discovered that malware had been spread via popular websites. Examples include the following: in one case, the malware was spread at around midday via www. nu.nl, on the same day as an important news item, namely a coach accident involving school children. Approximately one million computers were exposed to the malware in just two hours. This example will be discussed in more detail below. A similar incident was the infection of a toy chain via its webshop. In another case, the exposure to malware was effected via the website of an internet journalist. These incidents show that internet criminals are deliberately targeting popular websites with the object of infecting a large number of computers in a short space of time. NU.nl On 14 March 2012, hackers managed to place a malicious code on the popular news website NU.nl. This happened after an NU.nl employee s log-in data for the content management system (CMS) ended up in the wrong hands. 97 The object of the attack was to infect visitors to the site with malware. Anyone that had visited the website between 11.30 and 13.45 was at risk of infection. Research has shown that an estimated 100,000 systems were affected. 98 One of the conditions for infection was the presence of outdated software on the system used by the possible victim. This was important because the malicious code used exploited vulnerabilities in certain old versions of Adobe Reader and Java. This attack tactic is known as a drive-by download and is not a new development. However, what is unusual is the fact that one of the Netherlands most popular websites formed part of an attack of this nature. 99 Sinowal banking malware was installed on victims systems. The objects of this malware included the manipulation of bank transactions and the interception of log-in data for websites. The Sinowal variant used was not detected by any of the virus scanners at the time of infection. Added to this, a so-called rootkit was used to prevent the recognition and removal of the malware. The HitmanPro anti-virus tool produced by the Dutch company Surfright was the only virus scanner that was able to remove the malware in full a day after the infection. It was found that all of the updates available had not been installed on the systems used by government partners of the NCSC either; therefore these systems were vulnerable to this attack too. A large number of different partners reported dozens to hundreds of infections. The NCSC created instructions on the recognition and removal of possible infections available to its partners. This incident once again highlights the importance of keeping up-to-date with security patches. Well before the NU.nl incident, the NCSC warned against both of the vulnerabilities abused in its advisories and also advised on the measures to be taken. It is clear that virus scanners alone will not be enough to ward off threats. This incident also shows the importance of website and web application security. 97. http://www.nu.nl/media/2763447/korte-tijd-malware-verspreid-via-nunl.html 98. http://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident 99. http://www.alexa.com/topsites/countries/nl 59

APPENDIX 2 > CASE STUDIES Unsecured web applications Lektober Webwereld 100 had proclaimed October 2011 Leaktober. On each working day in the month of October 2011, it revealed information that had been leaked from a website or government service. Ultimately, 29 leaks were published. The most important publication related to a leak in 50 municipal websites. 101 These were old websites in most cases, but active websites in others. Weaknesses in these websites resulted in the bypassing of authentication by DigiD. Other Leaktober reports related to the leaking of confidential information, often via SQL injection. These leaks often related to websites outside the central government domain. In response to the leak relating to the 50 municipal websites, the Minister of the Interior and Kingdom Relations sent a letter to the Lower House of Parliament. In this letter, he let it be known that the municipalities affected had been disconnected from DigiD with immediate effect, that they would be expected to ensure that their security was in order before it would be possible to re-establish the connection and that, in the long term, all DigiD connections would be expected to comply with a security norm to be assessed on an annual basis. The letter states that the security norm is being formulated by the NCSC. Further to the above, guidelines have been produced by Logius, in collaboration with the NCSC. The object of these guidelines is to help the municipalities in their efforts to ensure that the security of their web applications is in order. These guidelines include a step-by-step plan and a checklist. The checklist contains the most important points to be met by a web application and the surrounding environment to be able to come through a security assessment. The NCSC has assessed the security tests of the municipalities affected on the basis of this checklist and, where necessary, proposed or demanded improvements. As a result of this procedure, the municipalities in question have improved their security significantly. In some cases, this has been accompanied by the full renewal of server hardware and software. Although almost all of the problems from the checklist have now passed in review, a number of shortcomings do stand out, such as the fact that software components (the operating system, web server, the database management system and development software, etc.) were not up-todate and the network architecture was particularly open to improvement. These problems have now been resolved by the municipalities affected. The first parties are currently being assessed on the basis of the DigiD norm, which is based on a set of guidelines that has been formulated by the NCSC. The expectation is that this assessment will reveal similar shortcomings to those highlighted in the assessment of the municipalities affected. The disclosure of data obtained from hacking In the previous period, there have been various incidents in which personal and sensitive data were disclosed on the internet. These data were obtained via hacking. Several examples from the period behind us follow below. Members of the Anonymous hackers group used Wikileaks to publish the data relating to many thousands of clients of the American security company Stratfor, a company that supplies intelligence data to government bodies, which they did around the Christmas period. The client data published included Dutch clients. Besides action groups, hackers without any hacktivist motives published data on the internet too. For example, client data on various companies, including Youporn, Babydump and Humannet, were published on the internet. Added to this, the IP addresses of possible leaky systems were disclosed. The publication on the internet on data obtained from hacking is a fairly new phenomenon. These publications would not seem to have any purpose other than to embarrass the owners of these data. This does not alter the fact that these incidents represent a breach of the privacy of the parties affected. A well-known example of the apparent disclosure of data obtained from hacking is the hacking incident at KPN. KPN On 27 January 2012, KPN reported a break-in on its internet system to the NCSC. On 16 January 2012, an attacker was able to penetrate deep into its infrastructure and also gained the most far reaching access rights on hundreds of servers. These servers were being used for internet services, the routing of internet-based services and the storage of (client) information. The computer system was damaged because malicious software had been installed on it and the normal security in place at KPN was bypassed as a result. The hacker also had rights to the DNS (Domain Name Server) systems and user rights to one of the routers. This made it possible for him to temporarily influence the routing of internet traffic of KPN s consumer clients. Since the Voice over IP service is also provided via this routing and the 112 calls by clients via VOIP, for example, the threat was taken seriously. 100. Webwereld (2011, 1) 101. Webwereld (2011, 2) 60

APPENDIX 2 > CASE STUDIES To be able to remove the threat, KPN isolated, cleaned and reinstalled a large number of KPN systems. All of these activities had been completed on 3 February. After the alleged perpetrators had published what appeared to be client data on the internet on 10 February, KPN immediately put rigorous measures in place to protect its clients data. For example, incoming e-mail was blocked. However, when analysing the client data, it was found that these data did not originate from the break-in at KPN after all. They had been stolen previously during a break-in at the webshop of a supplier of baby articles when the hacker had only copied the data belonging to KPN clients, which he then published on the internet. The NCSC monitored the broader consequences potentially extending beyond the technical issue experienced by KPN and took on responsibility for coordinating contacts between the various government parties. Emphasis here was placed on the possible consequences for (central) government, national security and internet traffic. There is no evidence to suggest that the hacker did actually change the routing of internet traffic. The promptness of the measures put in place and collaboration between various parties meant that national security was not put at risk. The Ministry of Security and Justice informed the Lower House of Parliament of this issue on 14 February. On 20 March, the police arrested a 17-year-old boy, who is suspected of being responsible for the hacking incident mentioned above. The National Crime Squad followed his traces on the internet for weeks. Given the above, the expectation is that further information about his modus operandi will become known during the course of the investigation. The boy has now been released, subject to the condition that he stays offline. 61

A P P E N D I X 3 > V U L N E R A B I L I T I E S A N D I N C I D E N T S H A N D L E D B Y T H E N C S C The NCSC (and GOVCERT.nl before it) supports government bodies and organisations in vital sectors in handling incidents relating to ICT security. In this role, incidents are reported to the NCSC and the NCSC itself identifies incidents and vulnerabilities too, on the basis of monitoring, for example. 102 The NCSC defines an incident as an ICT-related security incident that has been reported or discovered and in which there was an immediate threat or damage to ICT systems or electronic information, relating to one or more specific organisations, to which GOVCERT responded with action for these organisations. This definition implies that an incident may not always have resulted in damage yet, but can be a danger without damage already having taken place. More specifically, incidents can be broken down into three types of incident: attack: an (attempted) attack has actually taken place, possibly resulting in a breach of security. An attack could involve hacking, malware infections and ddos attacks, for example; threat: there is a malicious intention on the part of an actor to carry out an attack, but this attack has not been carried out yet; vulnerability: an ICT environment is vulnerable as a result of a software, hardware or system configuration error, for example. A vulnerability may not be the subject of a threat or attack (yet), but it does make abuse possible. Added to the above, the NCSC takes action at the request of international parties, particularly Internet service providers. In these instances, the NCSC helps these service providers to combat cyber incidents abroad that have originated from the Netherlands (from a web server or infected PCs in the Netherlands, for example). The NCSC classifies these activities as international aid requests. Numbers of incidents handled per target group An analysis of the incidents handled by the NCSC shows a number of developments. A strong increase in the number of incidents handled by the NCSC is evident with effect from 1 January 2012. This is primarily due to the number of incidents handled that originated from the private sector and can be explained by the fact that the NCSC offers its services to both government bodies and private parties, whereas GOVCERT.NL focused solely on government bodies. Table 6. Incidents handled by the NCSC and GOVCERT.NL per target group NCSC Government Privat International Total action incidents incidents aid request 10Q4 28 3 14 45 11Q1 25 4 8 37 11Q2 47 12 8 67 11Q3 29 9 9 47 11Q4 46 6 5 57 12Q1 57 33 9 99 Total 232 67 53 352 Figure 12. Total number of incidents handled by the NCSC and GOVCERT.nl per type of action 120 100 80 60 40 20 0 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 Government incidents Private incidents International aid request 102. Het NCSC registreert incidenten niet op het niveau van individuele systemen of organisaties, maar geclusterd per melding of identificatie. Daarom kan de melding van meerdere kwetsbare systemen als een incident geregistreerd zijn. 62

APPENDIX 3 > VULNERABILITIES AND INCIDENTS HANDLED BY THE NCSC Table 7. Incidents handled by the NCSC and GOVCERT.NL by type of incident per quarter Period Threat Attack Vulnerability Total 10Q4 7 18 3 28 11Q1 1 24 25 11Q2 3 40 4 47 11Q3 2 23 4 29 11Q4 1 28 17 46 12Q1 4 24 29 57 Total 18 157 57 232 Figure 13. Total number of incidents reported by the NCSC and GOVCERT.NL by type 60 50 40 30 20 10 Nature of incidents experienced by government An analysis of the incidents that have been handled by the NCSC for government bodies reveal an increase in the number of incidents in the final quarters too. A further breakdown into attacks, threats and vulnerabilities show that the increase does not apply for all incident types. The increase is primarily due to a strong increase in the number of vulnerabilities handled. The cause of the strong increase must not be sought in the fact that ICT systems have been displaying a greater degree of vulnerability recently. Based on past experience, it can be assumed that many systems had already been vulnerable for some period of time, but that the increased attention being given to vulnerability by security researchers has resulted in increased exposure for these situations. As vulnerabilities are being reported by researchers with good intentions, it is now possible to remove these vulnerabilities and improve controls for systems. Further details about the different types of incident When consideration is given to further details of the incidents experienced by government parties, it becomes clear that the number of website vulnerabilities has increased. Added to this, malware infections constitute a large number of the incidents handled. Together, these two types of incident represent slightly more than half of the incidents handled. Added to this, leaked (personal) information and unprotected/vulnerable systems are frequent types of incident too. 0 10Q4 11Q1 11Q2 11Q3 11Q4 12Q1 Threat Incident Vulnerability Figure 14. Percentage of incident types for Period 10-2011 to 03-2012 Table 8: Incidents handled by the NCSC and GOVCERT.NL by type of incident per quarter Type of incident Percentage Percentage 10-2011 up to and 04-2011 up to and including 03-2012 including 09-2011 Website vulnerability 35% 9% Malware infection 17% 51% Information leak 11% 8% Unprotected or vulnerable system 8% 0% Phishing 7% 7% ddos attack 6% 3% Attack threat 5% 7% Hacking attempt 5% 1% Other 6% 14% Website vulnerability Malware infection Information leak Unprotected or vulnerable system Phishing ddos attack Attack threat Hacking attempt Other 63

A P P E N D I X 4 > A B B R E V I A T I O N S A AIVD APT B BAVO BGP BIR BOF BYOD C CA CBP CBS CCD COE CERT CMS CNA CNE CREST CSBN CSI CVE CVSS D DCS DNS DNSSEC ddos DoS E EC ECP EDP EMV F - G - General Intelligence & Security Service [Algemene Inlichtingen en Veiligheidsdienst] Advanced Persistent Threat Vital and government security alignment plan [Beveiligingsafstemming Vitaal en Overheid] Border Gateway Protocol Information security baseline for the civil service [Baseline Informatiebeveiliging Rijksoverheid] Bits of Freedom Bring Your Own Device Certificate Authority Dutch Data Protection Authority [College Bescherming Persoonsgegevens] Statistics Netherlands [Centraal Bureau voor de Statistiek] NATO Cooperative Cyber Defence Centre of Excellence Computer Emergency Response Team Content Management Systeem Computer Network Attack Computer Network Exploitation Council for Registered Ethical Security Testers Cyber Security Assessment Netherlands [Cybersecuritybeeld Nederland] Computer Security Institute Common Vulnerabilities and Exposures Common Vulnerability Scoring System Directie Cyber Security (directorate within NCTV) Domain Name Service Domain Name System Security Extensions distributed denialofservice Denial of Service European Commision Electronic Commerce Platform Netherlands Electronic Data Processing Europay MasterCard Visa H - I ICS-CERT Industrial Control Systems Computer Emergency Response Team ICS/SCADA Industrial Control Systems/Supervisory Control And Data Acquisition IP Internet Protocol IPSec Internet Protocol Security ISAC Information Sharing and Analysis Center ISP Internet Service Provider J - K KING KLPD KWAS L - M MBR MIVD N NCSS NCSC NCTV NLDA NVB NWO O OM OPTA OWASP Quality institute for Dutch municipalities [Kwaliteitsinstituut Nederlandse Gemeenten] National Police Services Agency [Korps Landelijke Politiediensten] Espionage vulnerability analysis [Kwetsbaarheids Analyse Spionage] Master Boot Record Military Intelligence and Security Service [Militaire Inlichtingen en Veiligheidsdienst] Nationale Cyber Security Strategy National Cyber Security Centre (part of the Directorate Cyber Security) National Coordinator for Counterterrorism and Security [Nationaal Coördinator Terrorismebestrijding en Veiligheid] Dutch Defence Academy [Nederlandse Defensie Academie] Dutch Banking Association [Nederlandse Vereniging van Banken] Netherlands Organisation for Scientific Research [Nederlandse Organisatie voor Wetenschappelijk Onderzoek] Public Prosecution Service [Openbaar Ministerie] Independent Post and Telecommunications Authority [Onafhankelijke Post en Telecommunicatie Autoriteit] Open Web Application Security Project 64

APPENDIX 4 > ABBReVIATIONS P PaaS PKI Q - R RFID S SaaS SOHO SSL Platform as a Service Public Key Infrastructure Radio-frequency identification Software as a Service Small Office Home Office Secure Socket Layer T THTC Team High Tech Crime TLD Top Level Domain TNS/NIPO Dutch Institute for Public Opinion [Nederlands Instituut voor de Publieke Opinie] TNO Netherlands Institute of Applied Geoscience [Toegepast Natuurwetenschappelijk Onderzoek] U UMTS V VNG W - X - Y - Z - Universal Mobile Telecommunications System Association of Netherlands Municipalities [Vereniging van Nederlandse Gemeenten] 65

A P P E N D I X 5 > D E F I N I T I O N S 2G/3G 2G is an abbreviation for second generation wireless telephone technology. The advantage of 2G was that the connections were digitally encrypted. 3G (also known as UMTS or CDMA) is the successor to 2G. 3G has advantages over 2G in terms of security and communication speed. Acquisition The collection of information and intelligence in the Netherlands and abroad on cyber security developments and incidents forms the basis for the preparation of sound threat analyses. APT An Advanced Persistence Threat (APT) is a motivated (and sometimes advanced), targeted attack on a nation, organisation, person or group of persons. Authentication Validating whether a proof of identity of a user, computer or application matches predefined authenticity features. Authorised parties Parties that have authorised or functional access to (parts of) the company, location, process, resources or information. Bluetooth Bluetooth is a standard for wireless communication used in the exchange of data over short distances, specified by Ericsson in 1994. Border Gateway Protocol (BGP) The Border Gateway Protocol is the most important routing protocol of the internet. It defines the way in which information is exchanged between networks across network routes. Bot/Botnet A bot is an infected computer that can be controlled remotely for malicious purposes. A botnet comprises a series of such infected computers that can be centrally controlled. Botnets make up the infrastructure for many forms of cybercrime. Card Verification Value (CVV)/Card Verification Code (CVC) The CVV or CVD is a security feature designed to help prevent credit card/debit card fraud. Certificate (see Secure Sockets Layer certificate) Certificate Authority (CA) In a PKI system, a certificate authority is an organisational unit that is trusted to create (generate), assign and revoke certificates. Classification Establishing and specifying that data constitute special information and determining and specifying the level of security necessary for this information. Classified data Data that have been authenticated by a party and/or owner, including documents or material to be protected against unauthorised disclosure, and that must have been authenticated as such in a security classification. Cloud, Cloud services An internet (the cloud ) based model for system architecture that mainly involves the use of Software as a Service (SaaS). Common Vulnerabilities and Exposures (CVE) CVE is the unique common identification of publicly known data security vulnerabilities. Compromise Familiarisation, or the possibility for an unauthorised party to familiarise himself, with special information. Computer Emergency Response Team (CERT) A team with the primary responsibility to prevent incidents and, when they do occur, acting effectively to limit their impact. Computer Network Attack (CNA) The vandalisation of systems in order to disrupt or destroy the system itself, the data in it or the processes it controls. Computer Network Exploitation (CNE) Breaching an electronic system in order to obtain the information contained in it or sent with it. Confidentiality A quality characteristic of data in the context of information security. Confidentiality can be defined as a situation in which data may only be accessed by someone with the authorisation to do so. The owner of the data in question will decide who will have this authorisation. 66

APPENDIX 5 > DEFINITIONS Cookie A cookie is information a web server saves on the end user s computer. This information can then be retrieved by the web server the next time the end user connects to the server. Cookies can be used to save user settings or to track the user. Data breach, data leak The unintentional release of confidential data. Defence Optimal measures should be put in place to protect the State, legal order and (vital parts of) Dutch society against cyber threats or incidents. Denial of Service (DoS), Distributed Denial of Service (ddos) Denial of Service is the term for a type of attack in which a particular service (e.g. a website) becomes unavailable to the usual consumers of the service. DoS attacks on websites are often performed by bombarding websites with huge amounts of network traffic, so that they become unavailable. DigiD The digital identity of citizens, used to identify and authenticate them on government websites. It allows government institutions to ascertain whether they are really dealing with the individual in question. Document The term document covers letters, notes, memos, reports, presentations, drawings, photos, films, maps, sound recordings, text messages, digital carriers (CD-ROMs and USB) or any other physical medium on which information can be reproduced. Domain Name System (DNS) DNS is the term for the system that links internet domain names to IP addresses and vice versa. For example, the URL www.ncsc.nl represents IP address 62.100.52.109. Do-not-track (DNT) An option offered by modern browsers to prevent a user s surfing habits being tracked by third parties. End of Life In software circles, the end of life of a product is the moment at which a product is no longer considered current software by the vendor. When software reaches end of life, the vendor will generally no longer release updates or provide support for it. Europay Mastercard Visa (EMV) A standard for debit card systems using chip cards and chip card pay terminals. The chip card replaces cards with an easy-to-copy magnetic strip. Exploit/exploitcode Software, data or a series of commands that exploit a hardware/software vulnerability for the purpose of creating unintended or unexpected behaviour of that software or hardware. General Packet Radio Service (GPRS) GPRS is a technology used to send mobile data over an existing GSM network. Gerubriceerde gegevens Door een partij en/of eigenaar gewaarmerkte gegevens, inclusief documenten, of materiaal die beschermd moeten worden tegen ongeoorloofde openbaarmaking en die als zodanig gewaarmerkt zijn in een beveiligingsrubricering. Global Positioning System (GPS) A satellite-based location system precise to within several metres. GPS is used for applications such as navigation. Global System for Mobile Communications (GSM) GSM is a standard for digital mobile telephony. GSM is considered a second-generation mobile phone technology (2G). Hacker The most conventional definition for a hacker (and the one used in this document) is someone who attempts to break into computer systems with malicious intent. Originally, the term hacker was used to denote someone using technology (including software) in unconventional ways, usually with the objective of circumventing limitations or achieving unexpected effects. HyperText Markup Language (HTML/HTML5) HTML is a markup language used to define documents, mainly intended for webpage building. Identity fraud Deliberately creating the appearance of a different identity than one s own with malicious intent. Industrial Control Systems (ICS), Supervisory Control And Data Acqusition (SCADA) Measurement and control systems used to control industrial processes, for example, or building management systems. ICS and SCADA systems collect and process measurement and control signals from sensors in physical systems and steer the corresponding machines or devices. Information A set of data (with or without context) stored in thoughts, in documents (on paper, for example) and/or on (electronic, optical or magnetic) digital information carriers. 67

APPENDIX 5 > DEFINITIONS Information security The process in which the quality necessary for information (systems) is established in terms of confidentiality, availability, integrity, irrefutability and verifiability and in which a coherent package of corresponding (physical, organisational and logical) security measures are put in place, maintained and monitored. Information system A connected whole of data collections and the corresponding persons, procedures, processes and software, as well as the storage, processing and communication provisions put in place for the information system. Integrity A quality characteristic for data, an object or service in the context of (information) security. This is a synonym for reliability. Reliable data will be correct (rightfulness), complete (not too much and not too little), prompt (on time) and authorised (edited by a person who is authorised to do so). Internet Protocol (IP) A protocol that handles the addressing of data packages so that they arrive at the intended destination. Internet Service Provider (ISP) A supplier of internet services, often simply referred to as a provider. The provided services may relate to the internet connection as well as online services. Malware A contraction of malicious and software. Malware is currently used as a generic term for viruses, worms and Trojans, amongst other things. Man-in-the-middle-attack An attack where the attacker is situated between two parties, for example an internet shop and a customer. The attacker masquerades as the shop to the customer and as the customer to the shop. As intermediary, the attacker is able to eavesdrop on or manipulate the information exchanged. Marking A designation that indicates a certain approach to be adopted to special information. Notification duty In the event of loss, theft or abuse of personal data or the integrity of information systems, the owner is obliged to notify the national regulatory body. Network Address Translation (NAT) A method of re-using IP addresses. A temporary answer to the exhaustion of IP addresses. Also ensures that systems outside an organisation are not directly accessible. Open Web Application Security Project (OWASP) OWASP is a not-for-profit worldwide organisation with the goal of improving the security of application software. Patch A patch may comprise repair software or contain changes that are directly implemented in a program with the purpose of repairing or improving it. Payment Card Industry (PCI) compliance A data security standard for organisations that process cardholder information for debit cards, credit cards, e-purse, GEA and BEA cards. Personal Digital Assistant (PDA) A mobile device that functions as a personal information manager. Phishing An umbrella term for digital activities with the object of tricking people into giving up their personal data. This personal data can be used for criminal activities such as credit card fraud and identity theft. Preparation Dutch society must be aware of the possibility of a cyber threat, attack and/or incident and must be prepared for the (possible) consequences of attacks of this nature. Prevention In line with international developments, Dutch government is increasingly placing its focus on the prevention of cyber crime and cyber security incidents. Prosecution The detection, prosecution and trying of persons that are suspected of committing cyber crime or the preparation of cyber crime are all essential parts of efforts to combat cyber crime and resolve incidents. Public Key Infrastructure (PKI) A Public Key Infrastructure is a collection of organisational and technical resources with which you can process a number of operations in a reliable manner, such as encrypting and signing information and establishing the identity of another party. 68

APPENDIX 5 > DEFINITIONS Relevance Indicates the connection between the various threats, threat groups and targets. To determine the various threat levels in the Cyber Security Assessment, the low, medium and high criteria are applied to incidents and threats in analyses (see Appendix 1). Remote Access Data processing remotely through a communication connection. Rootkit A piece of software that grants an attacker more rights on a computer system and hides its presence from the operating system. RFID Radio frequency identification devices are small chips that are able to remotely use radio wave identification to save and/or read out information. The so-called RFID tags may be placed on or in objects or living creatures (cat or dog chips). Secure Sockets Layer (SSL), SSL certificate An SSL certificate is a file that functions as the digital identification for a person or system. It also includes PKI keys used to encrypt data during transmission. A familiar application of SSL certificates is the HTTPS secure website. Securing Protecting against violence, threats, danger or damage by putting measures in place. Security alignment Vital and Government: the vital and government security alignment plan [Beveiligingsafstemming Vitaal en Overheid plan (BAVO)] relates to the alignment of the internal security measures put in place by companies in the vital sectors to the security-oriented measures put in place by municipalities, regional police and any other partners. Security incident A security incident (or information security incident) is one or a series of unwanted or unexpected incidents that are significantly likely to cause a disaster, compromise business processes or pose a threat to security. Sensitive information Information about critical (vital) infrastructure that could be used, if this information were to be disclosed, to make plans and commit offences with the object of disrupting or destroying critical infrastructure systems. Shimmen A method of attacking chip cards that involves tapping and potentially manipulating the communication between terminal and chip card. Skimmen The illegitimate copying of data from an electronic payment card such as a cashpoint card or a credit card. Skimming often involves the theft of pin codes with the final objective of making payments or to draw money from the victim s account. Social engineering An attack technique that exploits human characteristics such as curiosity, trust and greed with the objective of obtaining confidential information or to induce the victim to perform a particular action. Spoofen, IP Spoofing Spoofing means impersonating another person, usually in a malicious sense. IP spoofing uses the IP address of another computer, either to mask the origin of the network traffic or to use a computer to actually impersonate another computer. State secret Special information, the secrecy of which is vital for the interests of the State or its allies. State secret - Confidential Where familiarisation with information by unauthorised parties could damage the interests of the State or its allies. Stepping Stone A stepping stone attack is an attack that is perpetrated via a number of systems and/or organisations. This is also referred to as a chain attack. A malicious party will use a series of hacked machines (some of which may have been hacked previously) to achieve its ultimate goal. The stepping stone attack is a tool that can also be used to hide a party s own true identity. Tablet A portable computer the screen of which is also the main input device. Third party rule Analogous to the rule applied in dealings between intelligence and security services, namely that data that these services receive from each other are intended solely for their own use and may not be disclosed to third parties without the prior permission of the providing service (also referred to as the third country rule). 69

APPENDIX 5 > DEFINITIONS Threat The Cyber Security Assessment defines the terms goal and threat as follows: The ultimate goal (intention) could be to strengthen the competitive position; political and national gain, social disruption, to prevent the threat to life, etc. Threats in the report have been classified as follows, for instance: digital espionage, digital sabotage, the publication of confidential data, digital disruption, cyber crime and indirect disruptions. Token A physical device that helps an authorised user of computer services determine the identity of that user. Two-factor authentication A method of authentication requiring two independent proofs of an identity. These proofs may be: knowledge, possession or biometric properties that prove the identity of the requestor. Universal Mobile Telecommunications System (UMTS) See 2G/3G. Universal Serial Bus (USB) Specification of a standard for the communication between a device (generally a computer) and a peripheral. Vulnerability A weak spot in hardware or software that can be exploited for undesirable activities. Web application The totality of software, databases and systems involved in the proper functioning of a website and its underlying technology (the website being the visible portion). Wi-Fi A trademark of the Wi-Fi Alliance. A device with Wi-Fi can communicate wirelessly with other devices at a range of up to several hundred metres. Zero day exploit An exploit that takes advantage of a vulnerability for which no patch is as yet available. 70

ADDITIONS AND NOTES 71

Colophon Publication The National Cyber Security Centre, The Hague June 2012 Wilhelmina van Pruisenweg 104 2595 AN The Hague The Netherlands P.O. Box 117 2501 CC The Hague The Netherlands T +31 (0)70-888 75 55 F +31 (0)70-888 75 50 E info@ncsc.nl I www.ncsc.nl 72

National Cyber Security Centre Via collaboration between the private sector, the government and academia, the National Cyber Security Centre (NCSC) contributes towards the achievement of greater resilience in Dutch society in the digital domain. The NCSC supports central government and organisations with a vital function in society by providing them with expertise and advice, threat response and with action to strengthen crisis management. It also provides information and advice to citizens, government and the private sector, which it does to promote awareness and prevention. As such, the NCSC is the central notification and information centre for ICT threats and security incidents. National Cyber Security Centre Wilhelmina van Pruisenweg 104 2595 AN The Hague The Netherlands P.O. Box 117 2501 CC The Hague The Netherlands T +31 (0)70-888 75 55 F +31 (0)70-888 75 50 E info@ncsc.nl I www.ncsc.nl June 2012