storingpastebin

PublicationNationalCyberSecurityCentrePOBox117,2501CCTheHague,theNetherlandsTurfmarkt147,2511DPTheHague,theNetherlands+31707515555Moreinformationwww.
ncsc.
nlcsbn@ncsc.
nlOctober2016CyberSecurityAssessmentNetherlandscsan2016CyberSecurityAssessmentNetherlandsCSAN2016CyberSecurityAssessmentNetherlandscsan20165NationalCyberSecurityCentreTheNationalCyberSecurityCentre(NCSC),incollaborationwiththebusinesscommunity,governmentbodiesandacademics,isworkingtoincreasetheabilityofDutchsocietytodefenditselfinthedigitaldomain.
TheNCSCsupportsthecentralgovernmentandorganisationswithavitalfunctioninsocietybyprovidingthemwithexpertiseandadvice,threatresponseandwithactionstostrengthencrisismanagement.
Inaddition,theNCSCprovidesinformationandadvicetocitizens,thegovernmentandthebusinesscommunityrelatingtoawarenessandprevention.
TheNCSCthusconstitutesthecentralreportingandinformationpointforITthreatsandsecurityincidents.
TheNCSCispartoftheCyberSecurityDepartmentoftheNationalCoordinatorforSecurityandCounterterrorism.
NationalCoordinatorforSecurityandCounterterrorismTheNationalCoordinatorforSecurityandCounterterrorism(NCTV)protectstheNetherlandsagainstthreatsthatmaydisruptsociety.
Togetherwithitspartnerswithinthegovernment,thesciencecommunityandthebusinesssector,theNCTVensuresthattheDutchcriticalinfrastructureissafeandremainsso.
CollaborationandsourcesIndrawingupthisreport,theNCSCgratefullyusedinformationprovidedbythefollowingparties:-Thevariousministries-MilitaryIntelligenceandSecurityService(MIVD)-DefenceComputerEmergencyResponseTeam(DefCERT)-GeneralIntelligenceandSecurityService(AIVD)-DutchNationalPolice(NationalHighTechCrimeUnit)-PublicProsecutionService-Representativesofcriticalinfrastructureorganisations,membersoftheInformationSharingandAnalysisCentres(ISACs)andotherNCSCpartners-NCTV-NationalManagementOrganisationforInternetProviders(NationaleBeheersorganisatieInternetProviders)-InternetStandardsPlatform(PlatformInternetstandaarden)-BitsofFreedom-Consumers'Association-ICTNetherlands(NederlandICT)-DutchPaymentsAssociation-ConfederationofNetherlandsIndustryandEmployers(VNO-NCW)-Scientificinstitutions-Universities-ExpertsinthefieldofcybersecurityThecontributionsofthesepartieshave,togetherwithsubstantivereviews,publiclyaccessiblesources,asurvey,informationfromthecriticalinfrastructureandanalysesfromtheNCSC,contributedtothesubstantivequalityofthisassessment.
6TableofcontentsSummary9Keyfindings11Insightintothreatsandactors11Introduction151Manifestations17Activitiesaimedatmonetarygain17Activitiesaimedatacquiringinformation19Activitiesaimedatdisruption21Manifestationswithunintentionaldamage212Threats:Actors25Professionalcriminals25Stateactors27Terrorists28Hacktivists28Cybervandalsandscriptkiddies29Internalactors30Cyberresearchers30Privateorganisations30Conclusionandlookingahead323Threats:Tools37Malware37Tools40Denial-of-Serviceattacks42Obfuscation:hidingcriminalactivity43Attackvectors44Conclusionandlookingahead464Resilience:Vulnerabilities51Organisationaldevelopments51Developmentsontheuser'sside53Technicaldevelopments53Conclusionandlookingahead545Resilience:Measures57Humanbeings57Technology58Dutchdevelopments61Internationaldevelopments63Responsibleorcoordinatedvulnerabilitydisclosure63Conclusionandlookingahead656Interests69Societalinterests69Thedevelopmentofinterests69Conclusionandlookingahead71Appendix1NCSCstatistics73Responsibledisclosure73Securityadvisories74CybersecurityincidentsregisteredwiththeNCSC76Appendix2Sectoralassessmentofcybersecurity80Appendix3Termsandabbreviations868Professionalcriminalshaveevolvedintosophisticatedactorsandcarryoutlong-lastingandhigh-qualityoperationsDigitaleconomicespionagebyforeignintelligenceservicesputsthecompetitivenessoftheNetherlandsunderpressureRansomwareiscommonplaceandhasbecomeevenmoreadvancedAdvertisingnetworkshavenotyetshowntheabilitytocopewithmalvertising9Summary|CSAN2016SummaryTheCyberSecurityAssessmentNetherlands(CSAN)2016offersinsightintointerests,threatsandresilience,aswellasrelateddevelopmentsinthefieldofcybersecurity.
ThisCSANfocusesprimarilyontheNetherlands,fortheperiodfromMay2015toApril2016.
TheCSANispublishedannuallybytheNationalCyberSecurityCentreandisdrawnupincooperationwithpublicandprivatepartners.
Inthepastyear,stateactorsandprofessionalcriminalsformedthelargestthreatfortheNetherlandsinthefieldofcybersecurity.
Overthereportingperiod,theyhavecausedmanyincidents,orhaveattemptedtodoso.
Also,thethreatthatemanatesfromthesegroupsishuge,andhasgrowninthepastyear.
Criminalshave,overthepastyear,focusedmassivelyonransomwareandthedegreeoforganisationofcriminalcampaignsiscontinuallyincreasing.
Onaregularbasis,organisationsinsocietymustdealwithcomputersanddatathathavebeenmadeinaccessiblebyransomware.
Forcriminals,campaignswithransomwareareeasytocarryout.
Criminalstakeintoaccountthepurchasingpowerofvictims:sometimesmoreransomisdemandedif(large)organisationsareinfected.
Thus,ransomware,inrecentyears,hasdevelopedintothetoolofchoiceforprofessionalcriminalstomakemoney.
Theclassicmeasuresofregularbackupsandnetworksegmentationcanlimittheimpactofransomwareattacks.
Inadditiontoshortactionsaimedatmakingmoneyquickly,professionalcriminalsareexpandingtheirmethods:professionalcriminalshaveevolvedintosophisticatedactorsandcarryoutlong-lastingandhigh-qualityoperations.
Inthepastyear,severallong-runningcampaignswereobserved,usingadvancedformsofspearphishing.
Withthis,boththeinvestmentsandtheproceedsofthecampaignshaveincreased.
Inthepast,thiswayofworkingwasthedomainofstateactors.
Stateactorshave,overthepastyear,carriedoutagreatdealofdigitalespionageontheleadingDutchsectors.
DigitaleconomicespionagebyforeignintelligenceservicesputspressureonthecompetitivepositionoftheNetherlands.
Inadditiontoeconomicespionage,foreignintelligenceservicesactivelycollectpoliticalinformationviadigitalpathways.
TheDutchgovernmentsuffersregulardigitalattacks.
Politicalespionageunderminespoliticsandgovernmentandisthereforeathreattothedemocraticlegalorder.
Abroad,manifestationsbystateactorshavebeenobservedthatdeploysabotageandother(military)cybercapabilities.
ThethreathasincreasedfortheNetherlands.
Stateactorshavedeployeddigitalattacksabroadmorefrequentlytoachievetheirstrategicobjectives,toinfluenceconflictsand,insomecases,tosupportanarmedstruggle.
Cybersecuritymeasurestakencanalsoprotectagainstadigitalcomponentofhybridattacks.
Encryptionhasreceivedmuchattentionoverthepastyear.
Theinterestsofthepartiesaresometimesatoddswitheachother.
Inthediscussionontherelevanceofencryption,theinterestsofdetectionandnationalsecuritymustbebalancedagainstthesecurityoftheinternetandtheprivacyofitsusers.
IntheNetherlands,thegovernmenthaspublisheditsofficialpositiononencryption.
Thegovernmentendorsestheimportanceofstrongencryptionforinternetsafety,insupportoftheprotectionoftheprivacyofcitizens,forconfidentialcommunicationsofgovernmentandbusinessesandfortheDutcheconomy.
ThegovernmenthassentitspositiononencryptiontotheHouseofRepresentatives.
Thegovernmentisoftheopinionthatitisnotcurrentlyappropriatetotakelegalmeasurestorestrictthedevelopment,availabilityortheuseofencryption.
Hacktivistsandterroristsinthefieldofcybersecurityposelessofathreatthanstateactorsandprofessionalcriminals,but1010theseactorshavedevelopedoverthepastyear.
Therehavebeennoterroristattacksrecentlyusingdigitalresources.
However,theydogeneratealotofmediaattentionwithsmall-scaledigitalattackswhichrequirelittleknowledgeorskill.
Hacktivistshave,overthepastyear,focusedontheonlinepublishingofsensitivecorporateinformationandpersonalinformation.
Cybervandalsandscriptkiddiesareagrowingthreat.
Theycancarryoutdigitalattackswithaccessibletoolsandatlowcost.
ThinkofbooterservicestoperformDDoSattacks;theseareformsofcybercrime-as-a-service.
Thiscriminalindustryhasexpandedoverthepastyear.
Standardsolutionsarebeingofferedonlineandcontinuouslyimproved.
Ready-to-useexploitkitsaretradedonundergroundmarketplaces.
Inthese,malwareisofferedasaservice,includingahelpdeskthatisavailable24/7.
Theamountofmalwareonmobiledevicesisincreasinggreatly.
Thesedevicesareaninterestingtargetbecauseanincreasingnumberof(financial)activitiestakeplaceonthem.
Theyoftenremainvulnerablebecauseupdatesarenotinstalledorbecausesometimesnoupdatesareavailablewhendevicesareseveralyearsold.
Justlikelastyear,manyDDoSattackshavebeenobservedinthepastyear.
Theseattacksareprimarilycarriedoutbycriminals,hacktivists,cybervandalsandscriptkiddies.
Inadditiontorunningtheseattacksandthusbringingwebsites,infrastructuresandsystemsdown,DDoSattacksarealsousedforextortion.
Often,theseareemptythreats.
Manyorganisationshave,overthepastyear,takenmeasurescollectivelyororganisationally,againstDDoSattacks.
Thesemeasuresareeffectiveformanyattacks,butdorequireinvestments.
PrivatepartiesareworkingcollectivelyonvariousinitiativestobeabletoimplementDDoSprotectionmoreeasilyandcheaplybyworkingtogether.
ChaindependenciesandtheconnectivityofindustrialcontrolsystemsmakecriticalprocessesinNetherlandsvulnerable.
Achainisonlyasstrongasitsweakestlink.
Moreover,theblendingofindustrialcontrolsystemsandofficeautomationintroduces,alongsideofthemanybenefits,vulnerabilitiesintothischain.
SMEs,comparedtolargercompanies,takerelativelyfewmeasuresinthefieldofcybersecurity.
ThisisthecasewhilealargepartoftheDutcheconomyisformedbysmallandmedium-sizedenterprises.
ThelowresilienceofSMEsinthefieldofcybersecuritycanhaveanegativeimpactontheDutcheconomy.
Keepingdevicesandsoftwareuptodateremainsachallenge.
Organisationsarevulnerablebecausesystemsupdatesarenotinstalledinduetime.
Inorganisationswithindustrialcontrolsystems,thesystemsareoftenvulnerableandupdatesarenotcarriedoutregularly.
Thisisusuallyduetoaconcernthatupdatingwillleadtolossofproductivity.
ThereisroomforimprovementintheNetherlandsinthefieldofprotectivemeasures:companiesoftenhavenogoodideaofmeasuresthatarenecessary.
Advertisingnetworksdonotseemtobeabletocopewithmalvertisingyet.
Thismethodofmalwaredistributionremainspopularandisagrowingproblemthatisnoteasytosolve:themannerinwhichadsareboughtinrealtimeandpresentedtotheuserhappensoutofsightofwebsiteowners.
Currently,advertisingnetworksdonotthoroughlycheckthecontentoftheirads.
Combinedwiththefactthatmanysystemsdonothavethelatestupdates,thisprovidesalargeattacksurface.
Effectiveprotectionagainstmalvertisingwithoutaffectingtherevenuemodelofwebsitesrequiresfundamentalmeasuresinthewayadvertisingnetworksoperate.
Inrecentyears,variouspartieshaveworkedhardtoreducethenumberofroguewebsitesthatarehostedintheNetherlands.
Hostingproviders,thesciencecommunityandthepolicehaveworkedtogetheroverthepastyeartoreducebadhostingintheNetherlands.
Improvementisvisible,buttherearestillpartiesthatengageinbadhosting.
Inadditiontotechnicalvulnerabilities,theAchilles'heelofdigitalsecurity,peoplealsoremainvulnerable.
Maliciouspartiescontinuetoimprovetheirattemptstogetuserstoact.
Socialengineeringcontinuestobepopularandismostsuccessfulwhenitcomestospecificactivitiesviaspearphishing.
Thetransferofgenericskillstoidentifythreatsandtoactonthemisdifficult.
Informationcampaignsarefailingtopasstheseon.
Campaignstoraisesecurityawarenessworkbestwhentheyfocusonadefinedproblem,suchasinternetbanking.
Inthepastyear,theCoordinatedVulnerabilityDisclosureManifestowasdrafted.
Signatoriesofthismanifestoendorsetheimportanceofthevulnerability-disclosureprocess(responsibledisclosure)andappreciatetheinteractionwithresearchersandthehackercommunity.
InMay2016,themanifestowassignedby29partiesfromhomeandabroadduringthehighlevelmeeting,organisedduringtheDutchEUPresidency.
InternetserviceprovidersintheNetherlandshaveestablishedtheDutchContinuityBoard(DCB),whichworksonmeasurestolimittheimpactofDDoSattacksonDutchcriticalinfrastructureandtomakeservicesthathavebeendisruptedavailableagainassoonaspossible.
Thegovernmenthas,overthepastyear,takenstepstobecomemoredigitallysecureandtomaketheNetherlandsdigitallysafer.
Thecentralgovernmenthastakenactionsothatrecipientshavemorecertaintyaboutthesenderofe-mailsfromthegovernment.
ThePlatformforInternetStandardshaslaunchedthewebsiteinternet.
nl,enablinguserstomakesurethatinternetconnections,websitesande-mailusemodern(security)standards.
Also,thenewPersonalDataProtectionActcameintoforceon1January2016.
Withthenewlaw,thedatabreachreportingobligationenteredintoforce.
AllpartiesarenowrequiredtoreportpossiblepersonaldataincidentstotheDutchDataProtectionAuthority.
Thefinesthatmaybeimposed,canencouragethetakingofmeasuresagainsttheleakingofthisinformation.
11Summary|CSAN2016KeyfindingsThesummarygivesaconciseandcompletepictureofinterests,threatsandresilienceinthefieldofcybersecurity.
Inaddition,notableobservationsfromthereportingperiodarecontainedinfourkeyfindings.
Thesekeyfindingsaredescribedbelow.
Professionalcriminalshaveevolvedintosophisticatedactorsandcarryoutlong-lastingandhigh-qualityoperationsCampaignsbyprofessionalcriminalsarebecomingmoreandmoresophisticated.
Inthepast,thedigitalattacksandassociatedcampaignsbycriminalswereoftenofshortdurationandfocusedonearningquickmoneybytargetingagreatnumberofparties.
Criminalshave,inthepastyear,implementedanumberofcampaignswherehugeinvestmentshavebeenmadeandwhichshowahighdegreeoforganisation.
Inaddition,spearphishingbycriminalsisbecomingevermoresophisticatedandthereforemorecredible.
Spearphishingisthusbecomingincreasinglydifficulttofightwithsecurityawareness.
Prolongedcampaignswithlargeinvestmentsandadvancedspearphishingwere,inthepast,theterrainofstateactors.
DigitaleconomicespionagebyforeignintelligenceservicesputsthecompetitivenessoftheNetherlandsunderpressureThepastyearhasseenmanydigitalattacksoncompaniesintheNetherlandsinwhichthemotivewaseconomicespionage.
EspionageforeconomicpurposesisharmfultothepositionoftheNetherlands.
Theseattacksfocusedonacquiringtechnologythatsometimesstillhastoproveitsvalue.
Twothirdsoftheaffectedcompanieswereunawareoftheseattacks.
RansomwareiscommonplaceandhasbecomeevenmoreadvancedTheuseofransomwarebycriminalsinthepastyearhasbecomecommon.
Infectionsareeverydayoccurrencesandaffecttheentiresociety.
Whereasinthepastthesamepricehadtobepaidperinfection,thepriceisnowdeterminedonthebasisofthetypeofaffectedorganisation.
Inaddition,themalwareitselfismoresophisticated:inadditiontofilesonthelocaldisk,nowadaysdatabases,backupsandfilesonnetworkdrivesareencrypted.
AdvertisingnetworkshavenotyetshowntheabilitytocopewithmalvertisingThedistributionofmalwareviaadsonmajorwebsitesisaproblem.
Advertisingnetworkshavenotyetbeenabletofindsolutionstothisproblem.
Thewiderangeofadvertisingnetworksprovides,alongwiththelargenumberofsystemsfromwhichthelatestupdatesaremissing,alargeattacksurface.
Operatorsofthesewebsitesandadvertisingnetworksthemselvesdonothavefullcontrolovertheads.
Thismakesitpossibleformalwaretobespread.
Thecompleteadblockinginthebrowseraffectsthebusinessmodelofwebsiteowners.
Toprotectusersagainstmalvertisingwithoutblockingallads,fundamentalchangesareneededinthewaythesenetworkswork.
InsightintothreatsandactorsTable1providesinsightintothethreatsthatthevariousactorshaveposedovertheperiodbetweenMay2015andApril2016tothetargets'governments','privateorganisations'and'citizens.
'Professionalcriminalsandstateactorsremainamajorthreattogovernment,privateorganisationsandcitizens.
Threatsthatareindicatedinredmayincreasewhilethelevelisalreadyhigh.
Threatsthat,comparedtheCSAN2015,havegrownorshrunk,areindicatedbyanarrow.
ThethreatposedbycybervandalsandscriptkiddieshasgrownintermsofdisruptionofIT.
Theyhavemanytoolsattheirdisposaltocarryoutattacksrelativelyeasily,includingDDoSattacks.
Theftofinformationbytheseactorsisalimitedthreattoalltargets.
Thethreatoftheftandpublicationofobtaineddatabyhacktivistshasgrown,whilethisthreatbyinternalactorshasshrunk,comparedtolastyear.
1212Table1ThreatmatrixTargetsSourceofthethreatGovernmentsPrivateorganisationsCitizensProfessionalcriminalsTheftandpublicationorsellingofinformationTheftandpublicationorsellingofinformationTheftandpublicationorsellingofinformationManipulationofinformationManipulationofinformationManipulationofinformationDisruptionofITDisruptionofITDisruptionofITITtakeoverITtakeoverITtakeoverStateactorsDigitalespionageDigitalespionageDigitalespionageOffensivecybercapabilitiesOffensivecybercapabilitiesTerroristsDisruption/takeoverofITDisruption/takeoverofITCybervandalsandscriptkiddiesTheftofinformationTheftofinformationTheftofinformationDisruptionofITDisruptionofITHacktivistsTheftandpublicationofobtainedinformationTheftandpublicationofobtainedinformationDefacementDefacementDisruptionofITDisruptionofITITtakeoverITtakeoverInternalactorsTheftandpublicationorsellingofinformationTheftandpublicationorsellingofinformationDisruptionofITDisruptionofITCyberresearchersReceivingandpublishinginformationReceivingandpublishinginformationPrivateorganisationsInformationtheft(industrialespionage)Commercialuse/abuseor'resale'ofinformationNoactorITfailureITfailureITfailureChangewithrespecttoCSAN2015.
Nonewtrendsorphenomenaarerecognisedthatposeathreat.
OR(sufficient)measuresareavailabletoremovethethreat.
ORNoappreciablemanifestationsofthethreatoccurredduringthereportingperiod.
Newtrendsandphenomenaareobservedthatposeathreat.
OR(limited)measuresareavailabletoremovethethreat.
ORIncidentshaveoccurredoutsidetheNetherlandsandtherehavebeenseveralminorincidentsintheNetherlands.
Therearecleardevelopmentswhichmakethethreatexpedient.
ORMeasureshavealimitedeffect,sothethreatremainssubstantial.
ORIncidentshaveoccurredintheNetherlands.
13Summary|CSAN20161415Introduction|CSAN2016IntroductionTheCyberSecurityAssessmentNetherlandsispublishedannuallybytheNationalCyberSecurityCentre.
TheCSANisrealizedinclosecooperationwithalargenumberofparties,bothpublic(police,intelligenceandsecurityservicesandthePublicProsecutionService)andscientificorganisationsandprivateorganisations(companiesinthecriticalprocessesandthepartiesrepresentedintheISACs).
TheCSAN2016offersinsightintotheinterests,threatsandresilience,aswellastherelateddevelopments,inthefieldofcybersecurity.
ItfocusesprimarilyontheNetherlands,fortheperiodfromMay2015throughApril2016.
Theintentionisforpolicymakers,ingovernmentandthecriticalprocesses,toenhancethedigitalresilienceoftheNetherlandsortoimprovecurrentcybersecurityprogrammes.
TheCSANisafactualdescription,withinterpretationsbasedoninsightsandexpertisefromgovernmentservicesandorganisationsinthecriticalprocessesthemselves.
Itdescribesdevelopmentsinaqualitativeformand,whereavailableinareliableform,itprovidesaquantitativefoundationand/orreferencetosources.
Monitoringdevelopmentsisacontinuousprocess,withtheCSANbeingoneoftheannualresults.
Matterswhichhavenotorhavebarelychangedwithrespecttothepreviouseditionshavebeendescribedinbriefornotatall.
Readers'guideThekeyquestionsoftheCSAN2016are:-WhateventsorwhatactivitiesbywhichactorscouldaffectITinterests,whattoolsdotheyuseandwhatarethedevelopmentsinthisrespect(threats)-TowhatextentistheNetherlandsresilienttovulnerabilitiesinIT,couldtheseleadtoanimpactonITinterestsandwhatarethedevelopmentsinthisrespect(resilience)-WhichDutchinterestsarebeingadverselyaffected,andtowhatdegree,byrestrictionsoftheavailabilityandreliabilityofIT,breachoftheconfidentialityofinformationstoredinITordamagetotheintegrityofthatinformation,andwhatarethedevelopmentsinthisrespect(interests)Thetriangleofinterests,threatsandresilienceisamodelforthechapterformatoftheCSAN.
Chapter1describeswhichmattershavemanifestedthemselvesduringthereportingperiodwithinthetriangleofinterests,threatsandresilience.
ItgivesanoverviewofrelevantmanifestationsintheNetherlands.
ForeignmanifestationsarementionedwheretheyarerelevanttotheNetherlands,althoughtheNetherlandsneednotbedirectlyaffected.
Threatsarediscussedinthechaptersaboutactorsandtools.
Theabilities,characteristicsandmethodsofactorsaredescribedinChapter2.
Chapter3describesthetoolsthattheseactorsuseandtheirdevelopment.
TheresilienceoftheNetherlandscanreducethechancethatathreatwillmanifestitselfandcanlimittheimpactofmanifestations.
Chapter4describesthevulnerabilities.
Chapter5describesthemeasurestakentoreducethosevulnerabilitiesandtostrengthenresistanceandresilience.
Chapter6discussestheDutchinterestsandfocusesonthechangesintheseinterestsoverthepastyearandwhattheirimpactisoncybersecurity.
TheappendicesprovideanoverviewoftheincidentshandledbytheNCSC,anassessmentofcybersecuritywithinthevarioussectorsandexplaintheabbreviationsused.
InterestsThreatsResilienceManifestationsActorsToolsVulnerabilitiesMeasures1616Ransomwareiscommonplaceandinfectionsareeverydayoccurences1717Chapter1Manifestations|CSAN20161ManifestationsThenumberofinfectionswithransomwarehasincreasedsignificantlysincethepreviousreportingperiod.
Successfuldigitalespionageissecondtononeandisasignificantthreattonationalsecurity.
Thedatabreachreportingobligationhasbeeninforcesince1January2016.
Inthefirstquarterof2016,theDutchDataProtectionAuthorityreceivedoverathousandreportsofdatabreaches.
ActivitiesaimedatmonetarygainRansomwareiscommonplaceandhasbecomeevenmoreadvancedRansomware1hasboomedsincethepreviousreportingperiod.
Organisationsandindividualsthroughoutsocietyhavemuchtodowithcomputersanddatamadeinaccessiblebysuchmalware.
Thenumberofransomwareinfectionshasincreasedsignificantly,accordingtorepresentativesfromvarioussectorswhowereinterviewedforthisCSAN.
Forexample,theenergysectorisfacedwithinfectionsseveraltimesamonth.
Theseleadonlytolimiteddisruptionsofofficeautomationanddonotreachprocessautomation.
Also,thehealthcareandtelecomsectorsarefacingextraordinaryincreasesinthenumberofinfections.
Managedserviceproviders,whichoftenprovidetheautomationforothersectors,findthatamajorityoftheirclientsdealwithmorethanoneinfectionperyear.
Duringthereportingperiod,thepolicereceived124notificationsandreportsofinfectionswithransomware.
Atleast35ofthesenotificationsandreportswerespecificallyaboutcryptoware.
Thesenumbersareprobablyonlyafractionofthetotalnumberofincidentswithransomware.
Problemswhenrecordingofficialreports,inconsistencyinregistrationandunfamiliaritywiththepossibilityofreportingandfilingofficialreports,arethecausethatnotallincidentscanbefoundinthesestatistics.
FiguresfromStatisticsNetherlandssupportthis:in2015,11percentoftheDutchpopulationfellvictimtocybercrime;officialreportswerefiledinonlyasmallnumberofthecases.
2Varioussectorsindicatethatthemodeofinfectionwithransomwareischanging.
Previously,thesewereonlyrandominfections.
Now,theenergysector,watermanagementorganisationsandmanagedserviceprovidersindicatethattheyareregularlyconfrontedwithpersonororganisation-targetedphishinge-mailsbywhichattackerstrytoinstallransomware.
Othersectors,especiallythebankingsector,see,however,verylittletargetedphishingtoinstallransomwareinfections.
Organisationsfindthatransomwareinfectionsstilloccurlargelybecauseworkersreadtheirprivatee-mailattheirworkplace.
Forthis,workersusethewebmailfunctionalityoftheirprivatee-mail.
Inthise-mail,thereare,forexample,linkstoawebsitethatinfectsthecomputeroftheemployee.
Varioussectorshavedifferentexperienceswiththedistortingeffectofransomware.
Themanagedserviceprovidersandtheenergysectorseeinfectionswithransomwaretodayas'businessasusual.
'Theyroutinelyrestoreback-ups.
Thisleadstoreduceddisruptiontotheorganisation.
Theinsuranceindustryindicatesthatransomwareinfectionsareexperiencedasverydisruptivefortheorganisation.
Also,thenatureofransomwarebywhichinfectionstakeplace,haschangedlately.
Inthisreportingperiod,manifestationshavebeenobservedinwhichbackupsandnetworkdriveswereencrypted.
Whereransomwareinitiallyencryptedthefilesonthecomputeroftheenduser,itisnowsearchingfurtherintothenetwork.
User-accessiblenetworkdrivesarealsoencryptedsotheconsequencesofinfectionarefeltbymuchlargerareasoftheorganisation.
Servicesinhospitalsabroadhavebeeninterruptedseveraltimesbyransomwareinfections.
IntheNetherlands,asfarasweknow,thishasnotyethappened.
1818AhospitalintheGermancityofNeusswasthevictimofransomwarethatencryptedpatientinformation,aswasannouncedinFebruary2016.
3Themalware,'normal'consumerransomware,wasdistributedviaane-mailattachment.
Operationshadtobepostponedande-mailcommunicationwassuspended.
RPOnline,aGermannewswebsite,statedthatfiveotherGermanhospitalskeptittothemselvesthattheyhadincurredthesameinfection.
AtHollywoodPresbyterianMedicalCenterinLosAngeles,ransomwaredisruptedthefunctioningofthecomputernetworkinFebruary2016.
4Thehospitalstatedthattheransomwaredidnotgainaccesstopatientdata.
CTscanners,laboratoryrobotsanddrugsupplyingmachineswere,however,sabotaged.
Thehospitaleventuallypaidtheransomof17,000dollars.
5Itiscertainlynotalwayspossibletofindtheperpetratorsofaransomwareinfection.
InSeptember2015,inAmersfoorttheDutchpolicesucceeded,incollaborationwithKaspersky,inarrestingtwosuspectsof18and22yearsold.
TheywereaccusedofinfectingtensofthousandsofcomputersworldwidewithCoinvaultransomware.
6TheincreaseinmalvertisingfeedsdiscussionontheneedforadblockersThisyear,aswell,wasnotunusualforvisitorsofregularwebsitestobeconfrontedwithmalwareintheadsdisplayed.
Thisisnotonlyfoundinobscurecornersoftheinternet,butalsoonverypopularDutchwebsites.
Themethodusedfortheseattackssuggeststhattheperpetratorsareusuallycriminals.
InJune2015,Fox-ITdiscoveredthatanumberofnewswebsites,includingDeTelegraafwebsite,weredistributingmalwarethroughthedisplayedads.
7TheinfectedadscamefromtheadvertisingnetworksRubiconandAppNexus.
TheseadsusedtheAnglerexploitkittoinfectvisitorsofthewebsiteswithmalware.
AlsoinApril2016,Fox-ITdetectedamalvertisingcampaignonDutchwebsites.
Thistime,therewereatleast288differentwebsites,includingverypopularwebsitessuchasNu.
nl,BuienradarandMarktplaats.
8Here,too,theattackersusedtheAnglerexploitkittoinfectuserswithmalware.
MalvertisingonpopularDutchwebsitesaddstothedebateaboutwhetherornotitisappropriatetoblockadsviaanadblocker.
Thegrowinguseofadblockershasledtothecreationofprovidersofanti-adblockservicesforwebsiteowners.
Ironically,itwasPageFair,ananti-adblockservice,whichwasusedforamalvertisingcampaigninNovember2015.
Morethanfivehundredwebsitesthatmakeuseofthisserviceoffered,foranhourandahalf,malwarethroughdisplayingads.
9InnovativecriminalsstealfinancialresourcesandgoodsBankshavebecomemoreresilientagainstbankingmalware,asthepolicehavenoticed.
Man-in-the-browserattackstargetedatendusersnolongerworkaswell,thankstofrauddetectionbybanks.
Logically,cybercriminalshavethereforegonelookingforotherworkmethods,toolsandtargets.
ThiscouldexplainwhytheuseofbankingtrojanscontinuestodecreaseandtheuseofransomwareandRATs(RemoteAccessTools)continuestoincrease.
Forexample,wenowseeattacksonbankingsystemsthemselvesratherthanontheaccountholders.
Thishappened,forexample,inCarbanak10andinattacksonforeignbanksinwhichattackersgainedaccesstosystemsbywhichtransactionsaredepositedontheSWIFTnetwork.
RATsareverypopularamongcriminals.
Duringthereportingperiod,thepolicereceived40notificationsandreportsofincidentswithRATs.
Thatisremarkable,becausethedeploymentofanRATisverylabourintensiveforacriminal.
11CriminalsuseRATstosearchwithincomputernetworksoforganisationsforvaluablesystemsandinformation.
Therearealsoonlinemarketplaceswhereanyonecanpurchasetheseactivitiesasaservice.
Phishingcampaignswhereusersarepromptedtofillinpasswordsorpayanamountofmoneyarestillcommon.
Forexample,inNovember2015,anattackerpretendedtobetheCentralFineCollectionAgency(CJIB).
12Theattackersentbogusfinestopeopleandmanipulatedthemtopayassoonaspossible.
VictimsthoughttheyweresendingmoneytotheCJIB,butitwassenttothecriminal.
Multipleorganisationsarebeingfacedwithmuchmoretargetedandadvancedsocial-engineeringattacks.
Managedserviceprovidersindicatethattheirclientsareregularlyconfrontedwithcomplexandhighlytargetedphishingattacks.
Thesuccessratioofsuchattacksisquitehigh.
Representativesofmultinationalsandthetransportsectoraddthattheyareseeingahugeriseinthenumberofspoofede-mails.
Thisincludese-mailsinwhichtheattackerpretendstobetheCEOorCFOofthecompany.
ThisformoffraudisalsoknownasCEOorCFOfraud.
Inthisway,theattackertriestoauthoriselargetransactionsintohisaccount.
ThetransportsectoralsosaysthattheyobservethatcriminalorganisationsrecruittheirstafftosupplyinformationfrominternalITsystems.
If,forexample,theyrevealthelocationofacontainerfullofexpensivesmartphones,itwillbemucheasierfortheothercriminalstoseizethem.
InFebruary2016,unknownpersonsstole81milliondollarsfromthecentralbankofBangladeshbyhackingintotheirsystems.
131919TheysupposedlygainedaccesstotheSWIFTtransactionssystematthebank.
Thissystemisusedforinternationalinter-bankingpaymenttransactions.
BAESystems,aninformationsecuritycompany,claimstohavediscoveredwhatmalwarewasusedintheattack.
14ItseemsthatthismalwarespecificallytargetstheSWIFTAlliancesoftwaresuite,whichisusedbytheBangladeshBank.
ReutersreportsthattheTienPhongBankinVietnamwaspreviouslytargetedinvainbythesameattackers.
15Inaddition,theEcuadorianBancodelAustrofellvictimtothisinthesameway.
16ActivitiesaimedatacquiringinformationDigitalespionageissecondtononeDigitalespionageis,fromahistoricalperspective,secondtononeandisasignificantthreattonationalsecurity.
AccordingtotheAIVDandMIVD,theobservedattacksareonlythetipoftheiceberg.
Thetotalnumberofcasesofdigitalespionageismanytimesgreater.
Inthepastyear,theintelligenceserviceshaveobservedagreatdealofdigitalespionageonDutchcompaniesinthedefenceindustryandonsuchleadingsectorsashigh-tech,chemical,energy,lifesciences&healthandthewatersector.
Ithasbeenestablishedthattheattackerswerelookingforhighlyspecialisedtechnologyandsometimesevenexperimentaltechnologythathasyettoproveitsmarketvalue.
ThisshowsthatstructuralanddetailedattentionispaidtoinnovationinitiativesintheNetherlands.
Thesetechnologiesareessentialforthecurrentandfuturerevenuemodelsoftheaffectedcompanies.
ThisillustratesthestructuralandcomprehensivedigitalespionagethreatagainsttheinnovationandcompetitiveabilityoftheDutchbusinesscommunity.
Dutcheffortsinthefieldsofresearchanddevelopmentareapopulartargetfordigitalespionagebystateactors.
Thisallowsthemtokeeptheireconomiesmoving,butalsotomodernisetheirarmedforcesmorequickly.
TheextentoftheeconomicdamagefromdigitalespionageonDutchcompaniesisdifficulttoestablish.
Italsoturnsoutthatabouttwo-thirdsoftheaffectedcompanieswerenotawareoftheseattacksuptothemomentofnotificationbyintelligenceservices.
18OnWednesday15June2016,theVolkskrantpublishedanarticle19aboutthehackingoftheDutch-GermandefencecompanyRheinmetall.
ThiscompanyhadsupposedlybeenattackedbyChinesehackerssince2012.
AccordingtotheVolkskrant,thehackwasdiscoveredinlate2015bythesecuritycompanyFox-IT.
Stateactors,inparticularforeignintelligenceservices,activelycollectdigitalpoliticalinformationintheNetherlands.
Politicalespionageunderminespoliticalandgovernmentalauthorityandisthereforeathreattothedemocraticlegalorder.
TheDutchGovernmentsuffersregulardigitalattacks.
Thegoaloftheattacksistoobtaininformationaboutpoliticaldecision-makingandpositions,thedevelopmentandcontentofpolitical-economicplans,agendaitemsforpoliticalmeetingsandDutchviewsandtacticsaboutnegotiationsinvariousfields.
InadditiontotheDutchGovernment,politicalorethnicminoritiesinNetherlandsarealsovictimsofdigitalattacks.
Theseattacksarecarriedoutbyforeignintelligenceservices,suchasintelligenceservicesfromtheircountriesoforigin.
Thisiscertainlythecaseiftheseminorities,intheeyesoftheircountryoforigin,constituteathreattothestabilityandlegitimacyoftheregime.
Bankingandmanagedserviceprovidersareabletorepeladvancedphishingattacks17ADutchbankwas,inthepastperiod,facedwithaverypersistentanddedicatedphisher.
Throughphysicalinterceptions,thisattackerwasabletoobtainalimitednumberoftokens(fewerthanten)belongingtothebank'scorporateclients.
Suchtokensareusedtoauthorisewiretransfers.
Iftheattackhadsucceeded,thiscouldhaveledtoconsiderabledamage.
Thebankandthemanagedserviceprovider,together,wereabletodiscovertheattackandtoblockthetokensbeforetheattackercouldexploitthem.
TheNetherlandsasadigitaltransitportforstateactorsTheNetherlandshasahugeamountofbandwidth,oneoftheworld'slargestinternethubsandnumerousoptionsforrentingservers.
Asaresult,theNetherlandsisanobvioustransitportfordigitalattacksanditplaysanimportantroleintheirimplementationanddissemination.
Overthepastyear,severalcompaniesandgovernmentagenciesinvariouscountriesinEurope,theMiddleEast,AsiaandNorthAmericahavebeentargetedbydigitalespionageattacks,includingthosethatwentviatheNetherlands.
20Theseattacksfocusedonpolitical-strategic,military-strategicandeconomicinformation.
Asaresult,DutchITsystemsunwittinglyplayaroleincurtailmentofcivilliberties,evasionofexportrestrictions,infringementofintellectualpropertyrightsandtheftofconfidentialgovernmentinformation.
Amongthevictimsare(partnershipsbetween)governmentagencies,ministriesandthe(defence)industry.
Thesearedigitalattacksonofficeenvironments,mobileplatformsandindustrialcontrolsystems.
2020TheftofinformationmanifestsitselfhugelyoutsideoftheNetherlandsThepastyearwasmarkedbyanumberoftargetedhacks,capturinghugeamountsofpersonaldata.
AlltheseincidentsoccurredoutsidetheNetherlands.
ThatdoesnotmeanthatDutchsocietyisimmunefromthistypeofattack.
Thehealthcaresector,forexample,indicatesthatithasseenaclearincreaseinphishingforlogindetails.
Theyhaveevidencethatthegoaloftheseattacksisfinancialinnature.
Itremainstobeseenwhichpartofthedatabreachesisvisibletotheoutsideworld.
Fearofreputationaldamagecanleadtoorganisationskeepingthediscovereddatabreachesasecret.
Thedatabreachreportingobligation,inforcesinceJanuary2016,requiresthatallbreachesofpersonaldatabereportedtotheDutchDataProtectionAuthority.
TheAPhasreservations,however,astowhetherallbreachesarereported.
21InJune2015,theU.
S.
OfficeofPersonnelManagement(OPM)madeitknownthatithadbeenthevictimofahack.
Withthehack,thedataoffourmilliongovernmentemployeeswasstolen.
Laterthatmonth,itwasannouncedthatthedataof21.
5millionemployeesandapplicantshadbeenstolen.
22ThisincludedinformationconcerningsecurityscreeningsofAmericangovernmentpersonnel.
Theattackercouldexploitsuchdataforcounter-espionageandforpressuringorblackmailinggovernmentemployees.
TherewasspeculationaboutChina'sinvolvementinthehack,buttheChinesegovernmenthassaidthatitisnotresponsiblefortheattack.
23Later,theChinesegovernmentarrestedanumberofhackerswho,accordingtothem,hadcarriedoutthehack.
24WiththehackonAshleyMadison,awebsiteforpeoplelookingforanaffair,thepersonaldataofmorethanthirtymillionpeoplewasstolen.
25Thehackersdemandedthatthewebsitebeshutdownandthreatenedwithpublicationoftheuserdata.
Whenthewebsitewasnottakenoff-line,thehackerspublishedthedataof32millionusers,mostlymen.
26Presumably,otherattackersthenusedthedatainthisdatasettoblackmailthoseinvolved.
27AccordingtotheTorontopolice,thehackevendrovetwoofthewebsiteuserstosuicide.
28ThehackonAshleyMadisonwasnottheonlyideologicallymotivatedleakduringthisperiod.
FromtheItaliancompanyHackingTeam,hundredsofgigabytesofinternalbusinessdataweremadepublicviaBitTorrentandTwitterafterahack.
29In2012,ReportersWithoutBordersnamedHackingTeam"enemyoftheinternet",becauseitsuppliedtoolstoauthoritarianregimestosuppresstheirpopulations.
ThebreacheddataiswidelyseenasaconfirmationoftheearliersuspicionsaboutHackingTeam'scontroversialclientele.
Meanwhile,theItaliangovernmenthaswithdrawnthebroadlicenseofHackingTeamtoexporttheirproducts.
30InJune2016,reportsappearedinthemedia31statingthathackershadstolendatafromcomputersownedbytheUnitedStatesDemocraticParty.
ThehackersspecificallytargetedtheDemocraticNationalCommittee.
E-mailandinstantmessagesofDemocratswerereportedlyleaked.
AsecuritycompanylinkedtheeventstoaRussianactor.
32Later,thehackwasclaimedbyanunknownindividual,whotriedtoclaimresponsibilitybydisclosingselecteddocuments.
33InAugust2016,unknownhackerscallingthemselvestheShadowBrokersallegedtohavecompromisedaU.
S.
espionagecampaign.
Throughanintrusion,theyclaimedtohavestolenespionagemalware.
34ThismalwarewaspublishedinordertostrengthentheirclaimthatitcamefromU.
S.
intelligenceservices.
Someundisclo-sedmaterialwasbeingofferedforsaleviaapublicauction.
35Thefilescontainedespionagemalware,toolsthatallowattacksonfirewalls(includingthoseofCisco,FortigateandJuniper).
ActivitiesaimedatdisruptionWardingoffDDoSattacksiscostlybutincreasinglymoreeffectiveDuringthereportingperiod,organisationswerefrequentlythetargetofDDoSattacks.
Themanagedserviceprovidersandorganisationsfromthecentralgovernmentsayitisincreasinglypossibletotakeeffectivemeasuresagainstordinary-sizedDDoSattacks.
However,thepossiblemeasuresarecostly.
Thatmakesdoingbusinessonlinemoreexpensive.
Also,itisunclearhowlongtheracebetweenattackersanddefenderswillfavourthe(wealthy)defenders.
NumerousDutchorganisationswereinaccessibleonlineduringthisperiod,duetoDDoSattacks.
Duringthereportingperiod,thepolicereceived150notificationsandofficialreportsofDDoSincidents.
Schoolsareregularlyvictimsofanattack.
36TheattackisusuallydirectedagainstanyPCattheschoolastudentattends,butitaffectstherouterandinternetconnectionoftheentireschool.
37Individualendusersareaffected,suchasonlinegamerswhosecompetitorsmakeitimpossibleinthiswayforthemtoplaythegame.
Agamer'sinternetserviceprovidercancertainlybehinderedbythis.
38Theseattacksareoftenaimedatdisruptingasingleconnection,butcanhaveanimpactonallofaprovider'sconnections.
OntwoconsecutiveeveningsinAugust2015,theDNSserversofinternetserviceproviderZiggowerethetargetofaDDoSattack.
Becauseofthis,nearlytwomillionDutchcitizenstemporarilyhadnointernet.
InOctober,thepolicearrestedfiveboysinconnectionwiththeDDoSattacks.
39Fourofthemwereundertheageof18,thefifthwas21yearsold.
2121Chapter1Manifestations|CSAN2016ItisnotuncommonforDutchorganisationstobeextortedwithDDoSattacks.
AttackersperformasmallDDoSattackandreporttheirintentiontostageamuchlargerattackatalaterdate.
Onlyiftheorganisationpays,willtheattackbecalledoff.
Awell-knowngroupthatextortsinthiswayisDD4BC(DDoSforbitcoin).
InnoneoftheDutchcasesknownattheNCSCduringthereportingperioddidfailuretopayleadtoalargerattackafterthedeadline.
Managedserviceprovidersindicatethat,everyweek,theyareconfrontedwithattemptsatextortionoftheircustomerswithDDoSattacks.
DigitalsabotageandinfluenceIntheNetherlands,therehavenotbeenincidentsofsuccessfulsabotageinvolvingstateactors.
Thetransportsectordoesindicatethatregularincidentsoccurinvolvingdisgruntledorrecently-firedemployeeswhomisusetheirITauthorisationstocauseconsidera-bledamage.
Abroad,therehavebeenmuchmoreseriousformsofsabotageattacks.
Themosteffectivewas,nodoubt,theattackonUkrainianelectricitycompanies,wherebybetween700,000and1.
4millionpeoplecametobewithoutpower.
Theperpetratorshackedintothesystemsoftheelectricitycompanies,afterwhichtheycouldobstructtheoperationofthesystem.
Afteraboutsixhours,thepowersupplywasrestored.
Intelligenceagenciesfindthatstateactorsincreasinglyusedigitaltoolstoachievetheirstrategicobjectives,toresolve(international)conflictsandtosupport,insomecases,anarmedstruggle.
ExamplesofthistrendaretheconflictsintheUkraineandSyria,wheresuchmeansareusedregularly.
Alongsideofdigitalespionage,thisisalsoreflectedindigitalsabotageandactivitiestoinfluencepublicopinion.
Thedeploy-mentofdigitalespionage,sabotageorinfluencingwiththeseobjectivesiscosteffective.
Moreover,theinternethasthepotentialtocarryoutsuchoperationsrelativelyanonymously.
Thatcompli-catesattribution.
DefacementsarewidelyusedforpropagandaManywebsitesarestilldefacedonadailybasis.
Inordertodothis,avulnerabilityinthewebapplicationisusedinordertoalterthecontentthatavisitorsees.
Generally,adefacementisnotasignthatthecoreprocessesofanorganisationaredigitallyatrisk.
Defacementsareusuallyperformedwithanideologicalmotive,ortodisplaycertainskillsortobrag.
Ideologicaldefacements,forexample,areregularlycarriedoutbysympathisersofISIS.
Suchattacksarenotseenasterroristactivitiesinthemselves,butonlyaspropaganda.
Theyare,ofcourse,criminaloffences.
ManifestationswithunintentionaldamageFailureofITcanhaveamajorimpactEvenwithoutpeopleattackingthesystems,theycanfailtofunction.
Thishappens,forexample,whenasystembecomesoverloadedoranadministratormakesamistake.
InMay2015,therewasashortmalfunctionattheAmsterdamInternetExchange(AMS-IX).
Asaresult,variouswebsitesandotherservicesdependingontransmissionviatheAMS-IXweretemporarilyhardtoreachoroutofcommission.
BecauseAMS-IXisoneofthelargestinternethubsintheworld,theeffectswerenoticeablenotonlyintheNetherlands,butalsoabroad.
Themalfunctionwascausedbyahumanconfigurationerrorduringmaintenancework.
40Also,withsoftwareinnewplaces,suchasinthermostats,malfunctionsmayoccur.
ThatusuallyhappensindevicesfromtheInternetofThings.
ThesmartthermostatNestbyGooglehadamalfunctioninJanuary2016.
41ItturnedoutthatthecontroloftheindividualthermostatsdependedontheproperfunctioningoftheGooglesystems.
Duetothemalfunctionofthesesystems,allNestuserswereunabletooperatethethermostat.
DuringtheattacksinBrusselsinMarch2016,somanypeopletriedcallingandtextingthatitoverloadedthemobiletelephonenetwork.
Theauthoritiesadvisedpeopletousetextmessageordataservicesandnottocall.
42Theyhopedthatthenetworkwould,inthatway,remainavailable.
ThecommunicationssystemoftheBelgianpolicealsosufferedfromthemalfunction.
AgentsdecidedthereforetomaketemporaryuseofWhatsApp.
43DatabreachesoftenarisebymistakesThedatabreachreportingobligationhasbeeninforceintheNetherlandssince1January2016.
WithintheframeworkoftheTelecommunicationsAct,telecomcompaniesalreadyhadanobligationtoreporttotheNetherlandsAuthorityforConsumers&Markets.
Inthefirstquarterof2016,theDutchDataProtectionAuthorityreceivedoverathousandreportsofdatabreaches.
Nearly90percentofthesereportsweremadeinthecontextoftherecentlyamendedPersonalDataProtectionAct.
Sobefore2016,organisati-onswouldnothavebeenobligatedtoreportthesedatabreaches.
44Varioussecurityissuescausedthecustomersfilesof,amongothers,ITserviceproviderInvers,45householdappliancechainBrabantia46andtwoDutchhospitalstobecompromisedduringthisperiod.
47Humanerrorandnegligencealsoplayedarole,inthisperiod,inmunicipalitiesandthehealthcaresector.
PrivatedataofthousandsofresidentsfromOegstgeestandRotterdamwas,foratime,2222availabletoeveryone;anemployeeofthemunicipalityofRotterdamhadlinkedconfidentialinformationtoapersonalcomputer.
48AformeremployeeofanapplicationprovidercontractedbyOegstgeesthadstoredconfidentialinformationonhislaptop.
49InDecember,anunprotectedexternalharddrivewastakenfromaresearcherfromtheAntonivanLeeuwenhoekhospital.
Theharddrivecontainedpatientinformationandmedicaldata.
50Thehealthcaresectorindicatesthatdatabreachesareextremelycommonthere.
Thisisnotjustaboutmaliciousoffencessuchastheftofequipment,butalsoabouterrors.
Adoctorinadvertentlysends,forexample,themedicalfileofapatienttoanotherpatient.
Centralgovernmentorganisationsevenindicatethatdatabreachesgenerallyresultfromhumanerrorandnotfromhackers.
Someexamplestheymentionaretyposinane-mailaddressorattachmentsofpersonaldatathatmaynotbesharedbye-mail.
23231Inthisreport,cryptoware,unlessexplicitlydescribed,isunderthecollectivename:ransomware.
2http://download.
cbs.
nl/pdf/veiligheidsmonitor-2015.
pdff3https://www.
security.
nl/posting/460845/E-mail+besmet+computers+Duits+ziekenhuis+met+ransomware,consultedon4July2016.
4http://www.
theregister.
co.
uk/2016/02/15/ransomware_scum_tear_up_tinsel_town_hospital_demand_record_36m/,consultedon4July2016.
5http://venturebeat.
com/2016/02/17/los-angeles-hospital-paid-hackers-17000-ransom-in-bitcoins/,consultedon4July2016.
6https://www.
politie.
nl/nieuws/2015/september/16/11-cybercriminelen-aangehouden.
html,consultedon4July2016.
7https://blog.
fox-it.
com/2015/06/15/large-malvertising-campaign-targeting-the-netherlands/,consultedon4July2016.
8https://blog.
fox-it.
com/2016/04/11/large-malvertising-campaign-hits-popular-dutch-websites/,consultedon4July2016.
9Source:https://blog.
pagefair.
com/2015/halloween-security-leak/,consultedon4July2016.
10SeeCSAN2015foramoredetaileddescriptionofCarbanak.
11Source:police.
12https://www.
security.
nl/posting/450641/Politie+waarschuwt+voor+nepmails+van+CJIB,consultedon4July2016.
13http://www.
reuters.
com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO,consultedon4July2016.
14http://baesystemsai.
blogspot.
nl/2016/04/two-bytes-to-951m.
html,consultedon4July2016.
15http://www.
reuters.
com/article/us-vietnam-cybercrime-idUSKCN0Y60EN,consultedon4July2016.
16http://www.
reuters.
com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD,consultedon4July2016.
17Source:theinvolvedmanagedserviceprovider.
18Source:AIVDandMIVD.
19http://www.
volkskrant.
nl/buitenland/nederlands-duits-defensiebedrijf-gehackt-door-chinezen~a4320398/,consultedon4July2016.
20Source:AIVDandMIVD.
21http://nos.
nl/artikel/2104842-privacywaakhond-datalekken-worden-niet-gemeld.
html22https://www.
opm.
gov/cybersecurity/cybersecurity-incidents/,consultedon11July2016.
23http://www.
welivesecurity.
com/2015/12/03/opm-data-leak-not-state-sponsored-says-china/,consultedon11July2016.
24https://www.
washingtonpost.
com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-leaking-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.
html,consultedon11July2016.
25http://nos.
nl/artikel/2047968-gegevens-miljoenen-vreemdgangers-gehackt.
html,consultedon11July2016.
26http://nos.
nl/op3/artikel/2052728-hackers-zetten-32-miljoen-vreemdgangers-online.
html,consultedon11July2016.
27http://www.
zdnet.
be/nieuws/171086/hackers-chanteren-ashley-madison-gebruikers/,consultedon11July2016.
28http://www.
volkskrant.
nl/buitenland/-twee-zelfmoorden-na-hack-ashley-madison~a4128352/,consultedon11July2016.
29https://www.
security.
nl/posting/434642/Italiaanse+spyware-ontwikkelaar+HackingTeam+gehackt,consultedon11July2016.
30https://nakedsecurity.
sophos.
com/2016/04/08/hacking-team-loses-global-license-to-sell-spyware/,consultedon11July2016.
31http://nos.
nl/artikel/2111102-russische-hackers-maken-data-democraten-buit.
html,consultedon19August2016.
32http://www.
darkreading.
com/attacks-breaches/russian-hackers-breach-democrats-to-steal-data-on-trump/d/d-id/1325909,consultedon19August2016.
33http://www.
nu.
nl/internet/4278512/hacker-guccifer-20-claimt-verantwoordelijkeid-hack-democratische-partij.
html,consultedon19August2016.
34http://www.
nu.
nl/internet/4307673/hackersgroep-claimt-nsa-spionagesoftware-hebben-gestolen.
html,consultedon19August2016.
35http://nos.
nl/artikel/2126368-de-nsa-is-mogelijk-gehackt-maar-door-wie.
html,consultedon19August2016.
36http://nos.
nl/artikel/2073898-ddos-aanvallen-treffen-scholen-we-haalden-de-boeken-weer-uit-de-kast.
html,consultedon4July2016.
37Source:interviewwithMichelvanEeten.
38Source:police.
39https://www.
politie.
nl/nieuws/2015/oktober/7/11-vijf-jongeren-aangehouden-na-aanvallen-op-ziggo.
html,consultedon4July2016.
40https://ams-ix.
net/newsitems/194,consultedon4July2016.
41http://tweakers.
net/nieuws/107255/nest-kampte-met-grote-storing-wereldwijd.
html,consultedon4July2016.
42https://twitter.
com/CrisiscenterBE/status/712207222718259200,consultedon4July2016.
43http://www.
nieuwsblad.
be/cnt/dmf20160326_02205315,consultedon4July2016.
44Source:DutchDataProtectionAuthority.
45http://www.
telegraaf.
nl/binnenland/24934680/Invers_lekt_gegevens.
html,consultedon4July2016.
46http://www.
brabantia.
com/nl/statement-beveiligingsincident,consultedon4July2016.
47https://www.
security.
nl/posting/458824/Datalek+bij+drie+ziekenhuizen+treft+ruim+158_000+pati%C3%ABnten,consultedon4July2016.
48http://www.
rotterdam.
nl/persoonsgegevens,consultedon4July2016.
49https://www.
oegstgeest.
nl/fileadmin/redacteuren/20160309_Vragen_en_antwoorden_DEF_tbv_website.
pdf,consultedon4July2016.
50http://www.
avl.
nl/topmenu/over-avl/nieuws/persbericht-externe-harde-schijf-onderzoeker-antoni-van-leeuwenhoek-ontvreemd/,consultedon4July2016.
NotesChapter1Manifestations|CSAN20162424Professionalcriminalshavedevelopedtheirskillsandareabletoexecuteadvancedoperations25252Threats:ActorsProfessionalcriminalsandstateactorsarestillthegreatestthreattoDutchdigitalsecurity.
Overthepastperiod,theattackvectorsofthesepartiesoftenremainedbasicallythesamecomparedtopreviousyears.
Inthefuture,crimi-nalswillcontinuetoexpandanddeployransomwareasarevenuemodel,whilemakingitmoretargeted.
Thetargetedcollectionofpersonaldatawithouttheconsentoftheowneris,forvariousactors,anincreasinglyattractivescenario.
Also,formaliciousparties(withoutspecificknowledgeandskills)itisbecomingincreasinglyeasiertocarryoutdigitalattacks.
Theycanmakeuseoflow-thres-holdtoolsandaffordableformsofcybercrime-as-a-service.
Thischapterdealswiththeactorswhoadverselyaffectthereliabilityandsecurityofinformationandinformationsystems,theircapabilitiesandthedevelopmentsinthisarea.
ProfessionalcriminalsCriminalactorsform,invariousways,aseriousthreattoDutchdigitalsecurity.
Theyhaveagreatimpactonbothindividualsandorganisations,aswellastheDutchgovernment.
Thepurposeofprofessionalcriminalsisfinancialgain.
Theyachievethisbycarryingoutdigitalattacksorbythreateningtocarryoutdigitalattacks(extortion).
Duringthepastperiod,criminalshaveshownthattheyareabletocarryoutadvancedcampaignsthatrequireahighdegreeoforganisation.
CampaignssuchasCarbanakandattacksonbanksforthepurposeofgainingaccesstosystemsthatcanbeusedtodepositSWIFTtransactions,showthatprofessionalcriminalsarenowalsofocusingonanapproachinwhichalong-termandlarge-scalecampaignissetup.
Withsuchcampaigns,criminalsmake,inthemediumterm,moremoneythanwithshorteractions.
Inthepast,activitieswithsuchadegreeoforganisationwereonlyseenamongstateactors.
InApril2016,thepoliceandthePublicProsecutionServiceshutdownalargeencryptedcommunicationsnetworkandseizedcomputersfromthecompanythatsuppliedphonesandrelatedservicesinordertocommunicateviaencryptedmessages,so-calledPGPphones.
5152Thepoliceoftenfindthesephonesincriminalinvestigationsintodrugtraffickingandliquidations.
Thisshowsthatprofessionalcriminalsuseadvancedtechnicaltoolstoprotectcommunications.
CriminalsarebecomingmorepurposefulinextortionMoreover,theactionsofcriminalsarebecomingmoredrasticforvictims.
53Forexample,criminalsareincreasinglyfocusingondigitalextortion.
Ransomwareisthemostobviousexampleofthis.
Inthepreviousreportingperiod,theuseofransomwarebycriminalshasreallytakenoffinpopularityandhascontinuedunabatedduringthisperiod.
Theransomwaredigitalattackmethodsarebecomingmoresophisticatedandtacticstoinstalltheransomwareonthesystemofvictimsareincreasinginsophistication.
Althoughthepolicehaveobservedmoretargetedattacksinthepastperiod,theransomwareusedbycriminalsintheNetherlandshas,thusfar,beenmainlyuntargeted.
Thismeansthattheydonotfocusonencryptingandextortingspecificsystems.
Bothindividualsandorganisationsareaffectedbythistypeofextortion.
However,thereareindicationsthatcriminalsmoreoftenuseransomwaretotargetorganisations545556Sometimes,theyuseanadjusted(higher)ransomdemandforthisandtheyfocuson2626vulnerabletargetswherecontinuityisimportant,suchashospitalsandcarefacilities.
5758Thiswasthecase,forexample,inanAmericanhospitalwhere40bitcoins(USD17,000)werepaidtotheattackerstogetthesystemsoperationalagainasquicklyaspossible.
59Thiswasnotonlyworrisomebecausethepatientdatawasencrypted,evenmedicalequipmentwasnotfunctioningasaresultofthisattack.
60Criminalsareexploitingthesuccessfuluseofransomwarefurtherbyexpandingthediversityoftheirtargets.
TheexampleoftheAmericanhospitalalsoshowsthatcriminalsdonotonlyattackstandardsystems.
Alsosystemssuchasmedicalequipment,databases61andevenbackupfiles62maybevulnerabletotheseattacks.
Inadditiontoransomware,DutchorganisationshavebeenvictimsofDDoSextortioncampaignsmoreoftenduringthepastperiod.
Inthesecampaigns,DDoSattacksareusedbycriminalsaspartofablackmailscenario.
Viae-mail,criminalsthreatenwithaDDoSattackunlessbitcoinsarepaidtothesender.
TheDDoSattacksarenotalwaysactuallycarriedout.
63DD4BC6465andtheArmadaCollective66areknowncriminalgroupswhichusethismethod,althoughthereareindicationsthatothercriminalsmakeuseofthesenamestoreinforcethethreatofaDDoSattack.
6768Furthermore,itwasalsoobservedinthereportingperiodthatcriminalsextortindividualswithstolendatafromdigitalattacks.
Thisis,forexample,whathappenedafterthehackonthecustomerbaseoftheAshleyMadisonsite.
69Peoplefromthecustomerbasewerethenapproachedbythecriminals.
70Organisations,too,aresometimesextortedwithstolendatafromdigitalattacks.
71Inthepastperiod,thecriminalgroupRexMundithreatened,forexample,toputthecustomerdatabasesofvariousDutchandBelgianorganisationsonlineiftheorganisationsconcernedrefusedtopay.
7373ExistingrevenuemodelsremaininvogueamongcriminalsWhilethereisagroupofprofessionalcriminalswho,withahighdegreeoforganisation,carryoutsophisticatedcampaigns,existingrevenuemodelsarestillinuse.
74Thiscanbeobservedinbothransomwareandinothertypesofcriminalmalware,suchasbankingmalware.
TheuseofthislatterformofmalwareisdecreasingintheNetherlands.
75Sometimesmalwaresourcecodesare(intentionallyorunintentionally)madepublic,makingitpossibleforcriminalstoadjustthistotheirownneeds.
Theresultisthatmultipleversionsoftheoriginalmalwarequicklyappear.
7677Inaddition,itisbecomingmorecommonthatcriminalscanadapttheirmalwareforspecifictargetedattacks:thus,theymodeltheirattacksmoreoftentotheirintendedvictim.
78Thelevelofexpertiseandskillsofcriminalsisextremelyvaried.
Therearespecialistswhoarecharacterizedbyahighlevelofprofessionalismandinnovativecapacity.
Throughtheprofessionalservicessectorthathasoriginatedfordigitalcrimeinrecentyears,thereisalsoanever-growinggroupofactivecriminalswitharelativelylowlevelofexpertiseandskills.
79TheCSAN2014and2015alreadyarguedthatitisnolongernecessaryforacriminaltopossessdigitalskillsinordertocarryoutdigitalattacks.
Thefactthatcybercrime-as-a-serviceisbecomingincreasinglyprofessionalandcustomer-friendlyhasbecomeclearagaininthepastperiodthroughtheappearanceofvarioustypesofransomware-as-a-service,8081malwareinstructionvideosonYouTube82andransomwarecodesonGitHub.
83Thisaddstotheeasewithwhichcriminalswithoutspecificknowledgeandskillscanusemalwareandransomwareagainsttheirvictims.
ThetrackingdownofcriminalsremainsachallengeDutchhostingremainspopularamongcybercriminals.
In2015,thepoliceandthePublicProsecutionServiceobservedthatthenumberofIPaddressesonwhichtheymustactonthebasisofinternationalrequestsforassistance,increasedfrom214in2014to383in2015.
84Also,variousanonymisationtechniquesaregainingpopularityamongcriminals.
Inthisway,theytrytokeepcriminalactivities,communicationandmoneyflowsoutofsightoftheinvestigativeservices.
CriminalforumsareoftenpostedbehindproxiesandDDoSprotectionservices,tohidetheactuallocationofservers.
85Thepolicenotethatcommand&controlserversusedin,forexample,ransomwarecampaignsareplacedintheTornetworkinordertobeuntraceable.
Inaddition,theuseofso-calledbitcoinmixersisgaininginpopularity:servicesthattrytoanonymisebitcoinfundsevenfurtherbychangingthem.
Inthisway,thetracesofthevirtualmoneyandthesendersandreceiversoftransactionscannotbediscovered.
Inadditiontothis,illegalbitcoinchangerscan,viaadsonundergroundmarketplaces,bebroughtinatahighrate(8-12percentinsteadofabout0.
5percentatbonafidechangers)toanonymouslywithdrawmoneyatanagreedtimeandplace.
InJanuary2016,theFIODdismantledacriminalnetworkwithmultiplebitcoinchangers.
InMarch2016,thepolicealsoarrestedabitcoinchangerwhowaslaunderingwhatwasprobablymillionsofeurosofbitcoinsinthisway.
Itisclearthatthereisalarge,global,anonymousmarketfordigitalcrime.
However,thelocalpolicearealsoincreasinglyseeinglocallyformed,physicalpartnerships.
Insteadofmaintainingonlyremotecontactvia(anonymous)digitalchannels,somecriminalscertainlydohavecontactwitheachother;theyknoweachotherandgettogetherforsomeofthetargetedoperations.
Awell-knownexampleistheDyremalwarecampaign,forwhichacriminalgroupwashousedtogetherinanofficebuildinginRussia.
862727StateactorsThegreatestdigitalthreattonationalsecuritycomesfromstateactors,inparticularfromforeignintelligenceservices.
97TheDutchgovernment,nationalsecurityandeconomyarethreatenedbytheactivitiesofthesestateactors.
Digitalattackshavebecomearealalternativetoconventional(intelligence)toolsbecauseofthelowcost,limitedriskoffailureandthehighyields(intheamountofinformation).
Themethodisincreasingincomplexity,attackersarebecomingmoreresourcefulandaredevelopingeverbetterwaystopreventtheproblemofidentificationandattribution.
TheDutchintelligenceandsecurityserviceshaveobserved,inthepastperiod,structurallyextensiveespionageattacksaimedatDutchgovernmentagencies,scientificinstitutesandcompaniesinkeysectors.
Statesalsousethemilitarypotentialofthedigitaldomainbydeployingoffensivecyberactivities.
ThishasnotyetbeenspecificallyobservedintheNetherlands.
98StatesareinvestinginoffensivecybercapabilitiesAsinpreviousyears,statesareinvestingheavilyindevelopingtheiroffensivedigitalcapabilities.
99Itisoftentheintelligenceserviceswhoharbourthesecapabilitiesandcovertlydeploythem.
Stateshaveincreasinglyuseddigitalattackstoachievetheirstrategicgoals,toinfluencenationalorinternationalconflictsand,insomecases,tosupportanarmedstruggle.
Themilitaryuseofdigitalcapabilities,digitalattackswiththeaimoftamperingandmanipulationofrepresentation,isincreasinglyusedtosupplementconventionaltools.
Althoughthemanifestationsofsuchattackshardlyappearinpublicsources,itshouldbenotedthatsomestatescarryoutpreparatoryactsforcollectinginformation,influencingthecapacityforpoliticalandmilitaryoperationsormaintaininganinfrastructureforfutureoperations.
ThishasnotyetbeenobservedintheNetherlands.
Disturbingherearetheexplorationofcriticalinfrastructure,theinstallationofmalwaretogainaccessforfutureoperations,orinvestmentsinhackercollectivesthatmakesuchactspossible.
StatesareorganisingtheircybercapabilitiesThedegreeoforganisationbehinddigitalattacksbyforeignstateactorsisoftenlarge;thedivisionoflabourandspecialisationareindevelopment.
TheDutchintelligenceandsecurityserviceshave,duringseveralattacks,observedthatvariousactorgroupswereinvolvedintheimplementationofdigitalattacks.
Forinstance,ithasbeenrepeatedlyestablishedthatthedifferentstagesofadigitalattackwerecontractedouttovariousthirdparties.
Thesepartiesspecialiseinneedsdetermination,tooldevelopment,implementationorinfrastructuremanagement.
Infiltration,ontheonehand,andexplorationandevasion,theotherhand,werealsocontractedouttovariousgroups,alsotoprivateparties.
TheDutchintelligenceandsecurityserviceshavedeterminedseveraltimesthatemployeesofseeminglyprivateITcompaniescarryoutdigitalattacksorpurchaseandmanageinfrastructureontheinstructionsofforeigngovernments.
TheseactivitiesfocusonDutchgovernmentagencies,scientificinstitutesandcompaniesintopsectors.
Thissegmentationinthedesignandimplementationofdigitalespionageencouragesthespecialisationandcontinuity(intheformofstrikepower)ofdigitalattacks.
TerroristsAsyet,inthedigitalfield,stillnoconcreteterroristthreatagainstnationalsecurityhasbeenobserved.
Theyhave,thusfar,neverstagedanattack(deadlyorotherwise)withdigitaltools.
Theydo,however,stillcausesocialunrestwithsmall-scaledigitalattacksforwhichlittleknowledgeorskillsareneeded.
Thesetypesofattackshaveincreasedoverthelastperiod.
Marketplacesforcybercrime-as-a-serviceStandardsolutionsforperformingcybercrimearecontinuouslybeingdevelopedandresold.
Thisresellingiscalledcommodification.
Campaignsoroperationsareoftencarriedoutbyadhoccoalitionsofspecialists.
87Largerandknowledgeablecoalitionskeep,asmuchaspossible,agripontheentireoperation.
88Undergroundmarketplacesarestillusedtoexchangeortradetoolsforcommittingcybercrime.
89Theyusehiddenservices,soastohamperdetection.
Servicesofferedincludeready-to-usemalware,stolencreditcardinformation,socialmediaande-mailaccountinformation,DDoSattacks(DDoS-as-a-service),RATsandonlinemanualsforcommittingcybercrime.
Reliabilityandqualityareseenasacompetitiveadvantage.
Thereareserviceproviderswithahelpdeskthatoffersupportduringofficehoursoreven24hoursaday.
90Theygivetheguaranteethatthedelivereddataorproductswillliveuptotheexpectations.
Toavoidscams,trustedintermediariesarealsodeployedwhoonlyreleasethemoneytothesellerwhenthecustomerhasindicatedthatheissatisfied.
91TheAnglerexploitkitpossiblyusesamodelwhereauserischargedpersuccessfulmalwareinstallation.
92Otherexploitkits,suchasSweetOrange,seemtoofferbothasubscriptionserviceaswellasthepossibilitytobuythekitforanunlimitedperiod.
93Exploitkitsaresometimesalsosoldundercertainconditions,forexamplethattheymayonlybeusedfortargetedattacksandnotforwidephishingattacks.
94Anotherconditionisthattheyshouldnotbeusedincountrieswheretheserviceproviderwantstostayundertheradar.
95Theserviceprovidermayalsodemandaportionoftheproceeds,suchas30percentforCTBlocker.
962828AdvanceddigitalcapabilitiesofjihadistshavenotyetmanifestedthemselvesMostterroristthreatscome,atpresent,fromjihadistsandISISsympathisers.
Althoughitwasdeterminedinthepreviousreportingperiodthatthecapabilitiesofjihadistsinthedigitalfieldaregrowing,thishas,sofar,notyetmanifesteditselfinlarge-scaleortechnicallysophisticatedattackswithaterroristorjihadistmotive.
Jihadistsgenerallyconcentrateonhidingandencryptingtheirchannelsofcommunication.
Theyoftenpointouttheimportanceofsafetyawarenesstotheirsupporters.
Theyarealsodevelopingnewapplicationsandnewsforums100101102inordertospreadtheirmessagefurther.
Indoingso,theyseemtobelookingforabalancebetweensecurityandrecruitment:insteadofmovingtheircommunicationscompletelytoundergroundchannels,103jihadists,forrecruitmentandpropagandapurposes,benefitfromhavingtheirmessageremainaccessibletosomedegreeforinterestedparties.
104105Jihadistsregularlyclaimthattheyhavemanagedtoobtainsensitivedataviadigitalattacks.
Thedatawhichtheythenmakepublicare,however,inmostcasesstilldatathatcanbefoundontheinternet,106oraretheresultofsimplehackswhichrequirelittlecapacityandfewresources.
107Theseare,inparticular,datafromAmericansoldiersandgovernmentemployees,108109but,inthepastreportingperiod,theyalsopublishedlistsofEuropeangovernmentemployees,110111includingoutdatedinformationaboutDutchcitizens112Jihadistsgenerallypublishdetailsofgovernmentemployees,withthecalltosupporterstousethisinformationforattacks.
Thusfar,ithasnothappenedthatpersonaldatapublishedbyjihadistshasbeenusedtocarryoutattacks.
Althoughjihadistshavethefinancialmeansandtheintenttocarryoutdigitalattacks,itisclearfromtheirpreviouslycarriedoutattacksthattheseattacksarenottechnicallyadvancedyetandrequirelittleknowledgeandmanpower.
Jihadistsaretryingtoattractthirdpartiestoincreaseknowledgeandcapabilitiesinthefieldofdigitalattacks.
113Incidentsorattacksareoftenacatalystforonlinedefacementsbyvariousparties,suchasthedigitalresponsestotheattacksinParisbybothsupportersofISISandsupportersofAnonymous.
InconflictssuchasthoseintheUkraineandtheattacksinParis,itisclearthatISISsympathisersaremorelikelytofocusondefacements,DDoSattacksandhacksofsocialmediaaccounts.
Thenames'CaliphateCyberArmy'14115and'IslamicCyberArmy'116117recentlyseemtoappearmoreprominentlyindigitalattacks.
Sometimesthesenamesareusedinterchangeably.
118Also,somenamesthatareassociatedwithjihadistdigitalattackshaveannouncedthattheyplantounite.
119Theidentityofthosebehindthesenamesisnotknown,norisitknownwhethertheyareusedbythesamepersonorareinterchangeable.
Also,itisnotknownhowmanypeoplearebehindthis,sothatitiscurrentlyimpossibletodrawconclusionsaboutthepossibleimpactofthesemergers.
InJune2016,mediareportswerepublishedwhichreportedthatattacksinthenameofCyberCaliphateandISISwerecarriedoutbypartiesalliedtoRussia.
120HacktivistsHacktivismincreasesduringinternationalconflictsHacktivistsclaimthattheycarryoutdigitalattacksbasedonanideologicalmotive.
Boththeirmotivesandtheircapabilitiescanbeverydiverse.
Inmanycases,hacktivistscarryoutDDoSattacksongovernmenttargets,121122media123124andorganisations.
125126Thenumberofdigitalattacksbyhacktivistsincreasesduringinternati-onalconflictsandattacks.
Theseactivitieshave,thusfar,hadnomajorconsequencesfornationalsecurity.
Itispossiblethatdigitalattacksandpublicationsbyhacktivistswillgeneratemediaattentioninthefuture.
Hacktivistshavebeenfocusingmorerecentlyondoxing.
OneexampleofdoxingisthedisclosureofKuKluxKlanaccountsbyhacktivists.
127128Also,thenamesandlogindetailsofanIsraelidefenceorganisationwerehackedandreleasedontotheinternet.
129DoxingbyhacktivistsisnotyetcommonintheNetherlands.
ThecapabilitiesofhacktivistsvaryThecapabilitiesofhacktivistsareextremelyvaried.
Sometimesattacktechniquesareusedthatrequirelittleknowledgeandskills.
Sometimes,thedigitalattacksaremoresophisticatedinnature,aswiththecompromisingofsensitivebusinessdata.
130131Also,inthepastperiod,casesofsabotagebyhacktivistshavebeenidentified:inFebruary,itwasannouncedthatunknownpersonshadhackedaNASAdroneandtriedtohaveitcrashintothesea.
132Hacktivistsaremoreactiveduringinternationalconflictsandattacks.
Afterattacks,hacktivistsoftenannouncedigitalattacksagainstsupportersofISIS.
133134AftertheattacksinParisandBrussels,thisledtoanincreaseindefacementsandDDoSattacksonvarioussites,donebybothhacktivisticpersonsandgroupswhousethenameAnonymous,aswellasJihadistsympathisers.
135136TheseattackshadonlyalimitedimpactfortheNetherlands.
2929CybervandalsandscriptkiddiesGrowingthreatthroughbetteravailabilityoftoolsThethreatfromcybervandalsandscriptkiddiesisincreasing.
Thereasonforthisincreaseisthegrowingavailabilityofaccessibletoolsfordigitalattacks.
Cybervandalsandscriptkiddiescarryoutdigitalattacksaspranks,asachallenge,ortodemonstratetheirowncapabilities.
Thepolicehavealsonotedthatsuspectedcybervandalsandscriptkiddiesareoftenminors.
Theyoungsuspectsandtheirparentsareoftennotawareofthedamagedoneandtheconsequences144Cybervandalshavevaryinglevelsofknowledge.
Theknowledgelevelofscriptkiddiesisusuallylow.
Bothofthemcarryouttargetedaswellasuntargetedattacks.
ItisbecomingeasierforcybervandalsandscriptkiddiestocarryoutDDoSattacksbyusingso-calledbooterservices,whichmakeitpossibletocarryoutDDoSattacksviaawebsite(DDoS-as-a-service).
Theseservicesareeasytofindontheinternetandareeasytouse.
Thus,aneffectiveattackcanbecarriedoutevenwithlittlemoney145andknowledge.
ExamplesofthistypeofattackaretheDDoSattacksonZiggo146anddeVolkskrant.
147Oneexampleoftargetedattacksbycybervandalsandscriptkiddieswerethehacksbythegroup'Crackaswithattitude'ontheAmericanheadsofintelligenceservicesJohnBrennan148andJamesClapper149.
Afterthesehacks,dataofCIAandFBIemployeeswaspostedontheinternet.
Later,a16-year-oldBritwasarrestedforbothhacks.
150151Furthermore,onlinegamingplatformsarealwayspopulartargets,152especiallyduringtheChristmasholidays.
153154155Attributionof,inparticular,DDoSattacksanddefacementsremainsdifficultThedistinctionbetweencybervandals,scriptkiddies,ISISsympathisersandhacktivistsisnotalwayseasytomake.
WithDDoSattacksanddefacements,inparticular,theresponsibilityforanattackissometimesclaimedbyaspecificparty.
However,thespecifiedreasonsarenotalwaystherealmotivationbehindtheattack.
Awell-knownexampleistheattackonthewebsiteofMalaysiaAirlinesinthepreviousreportingperiod,inwhichscriptkiddiespointedtoISIS.
156Thisyear,withtheDDoSattacksonZiggoanddeVolkskrant,wesawreferencestoAnonymous,anamethatisusuallyassociatedwithhacktivism.
157TherewasalsoasevereDDoSattackontheBBC,carriedoutbyapartythatsaiditengagesinanti-jihadistactivities.
158Thesameattackisoftenclaimedbyseveralpeopleorpartiesondifferentforums.
159160Therealreasonfortheattackthenremainsunclear.
AnonymousasadigitalthreatAnonymousisalooseandunorganisedcollectionofindividualswithvaryinginterestswhousethename'Anonymous'fortheirdigitalactivities.
Anonymousismostcommonlyassociatedwithdigitalactivitiesofanactivistnature.
Theyoftencallfordigitalattacksonvariousorganisationsandbodies.
137138Also,peopleunderthenameAnonymoussometimesmakebusinessorpersonaldatapublicandcallforphysicalprotests.
139140However,thenameAnonymousisnotalwaysassociatedwithhacktivism.
PeoplewhoassociatethemselveswithAnonymousoftendothisbasedondifferentmotives.
Asaresult,theirobjectivesvaryconsiderablyandtheyhaveawidevarietyoftargets.
Whilesomepeopleareactuallyideologicallymotivated,otherscarryoutactions'justforfun.
'BecauseeveryoneisfreetocallthemselvesAnonymous,thenameisusedbypartiesandpersonswhostagedigitalattackswithoutideologicalmotives.
141ThiswasthecaselastyearwiththeDDoSattackonZiggo142and,presumably,duringtheattackontheVolkskrant.
143Inthemedia,thereisoftentheincorrectimagethatAnonymousisafixedgroupthatcarriesoutdigitalattackswithclearobjectives.
Thisimageshowsup,inparticular,whenpeopleannounce,onbehalfofAnonymous,thattheywilldeactivatesocialmediaaccountsandwebsitesofpro-jihadistparties.
TheimpactofdigitalattackscarriedoutunderthenameAnonymousdifferasmuchasthemotivesandtargets.
Sometimes,ithappensthatattackersmanagetoshutdownsitesforawhile.
Also,thedisclosureofpersonaldatacausesregulardisruptiontoorganisationsandgovernments.
Theimpactofthedeactivationofsocialmediaaccountsandwebsitesofpro-jihadistpartiesisprobablynotparticularlygreat:often,aftertheyhavebeendeactivated,peoplejustsetupadifferentaccount.
3030InternalactorsThreatfrominternalactorsremainsstableThereisnoindicationthat,duringthisperiod,thethreatbyinternalactorshaschangedcomparedtopreviousyears.
Thisthreatmaycomefrommaliciousemployeeswho,fromfinancial,politicalorpersonalmotives,deliberatelymanipulatesystemsorleakdata.
Threatsbyinternalactors,however,canalsocomefromunintentionalactionsandcarelessness.
Although,intherecentperiod,somereportswerepublishedabroadaboutdeliberateactionsbyinternalactors,161162thiswasnotsuchaproblemintheNetherlands.
InAugust2015,anemployeeofasupermarketchainwassentencedbecausehehadinfectedalmostahundredcompanylaptops.
163ThebiggestinternalthreatinDutchorganisations,however,hasbeentheresultofoversightandhumanerror.
Thisrangedfromemployeeswholosttheir(unsecured)datacarrierstoset-uperrors,suchthatcustomerdatacouldbeaccessedviatheinternet.
Forexample,theIndianvisaproviderBSLenabledthedataofDutchapplicantstoleakoutthroughasimpleprogrammingerror.
164ADutchtelecomshopunintentionallyleftlogindataofcustomerfilesonascreen,anditwasthensimpleforaresearchertoaccessthem.
165ViaSQLinjection,itwasrevealedthatmostofthestaffoftheEuropeanSpaceAgencyusedveryweakpasswordsof,sometimes,onlythreecharacterslong.
166CyberresearchersCyberresearcherslookforvulnerabilitiesinITenvironmentsforthepurposeofexposinglowlevelsofsecurity.
Theyoftenusethemediatopublishtheirfindingsandincreasecybersecurityawareness.
Publicityaboutthevulnerabilitiescanmakeorganisations(temporarily)vulnerablebecauseattackerscantakeadvantageoftheresearchfindings.
Duringthepastreportingperiod,therewasnosignificantthreatobservedintheNetherlandsbyDutchpublicationsaboutvulnerabilities.
Inpublicandprivateareasinrecentyears,severalagreementshavebeenmadewithcyberresearcherstosharetheirresearchresultsmoreeasily,withoutsacrificingthesecurityoforganisations.
Oneresultoftheseagreementsaretheguidelinesthathelporganisationsdevelopapracticeofresponsibledisclosureinordertofacilitatedetectorsanddeveloprapidsolutionsforvulnerabilities.
167BugbountyprogrammeisgainingpopularityAlso,thereisatrendamongorganisationstoobservetheimple-mentationofso-calledbugbounties.
Thesearerewardsthat,undercertainconditions,arepromisedtoresearcherswhouncoversecurityvulnerabilities.
Thisyear,forexample,thePentagon168andGeneralMotors169joinedthebugbountyprogramme.
170IntheNetherlands,severalcompaniesmakeuseofbugbounties,includingseveralDutchbanks171172173,Fox-IT174andGamma175.
Althoughcyberresearcherscontinuetopublishresearchfromwhichmaliciouspartiescanbenefit,boththeguidelinestocometoapracticeofresponsibledisclosureandthebugbountyprogrammecontributetoagradualdecreaseinthethreatfromresearchpublications.
PrivateorganisatiesThreatsbyprivateorganisationsmaytakethreeforms:organisati-onsmayaffecttheconfidentialityofsystemsforfinancialgain,organisationscancarryoutcyberattacksinordertoimprovetheircompetitivepositionandorganisationscanusethedatatheycollectabouttheircustomersforcommercialpurposesorsellittothirdparties.
Carryingoutdigitalattackstoimproveone'scompetitivepositionusuallyfallsundertheheadingofindustrialespionage.
Thereisnoindicationthatthethreatfromprivatepartieshaschangedcomparedtothepreviousreportingperiod.
Duringthepastperiod,somecasesofindustrialespionagehavebeenobservedabroad.
IntheUnitedStates,forexample,asupplieroflinensconfessedthatthecompany'semployeeshadhackedacompetitorforfinancialgain.
176Also,anemployeeofanAmericanbaseballteamconfessedtohavinghackedadatabaseofarivalteam.
177Furthermore,itwasrevealedviatheleakeddocumentsfromthecompromiseddatingsiteAshleyMadisonthatmanage-mentwasabletoinfiltrateacompetitivedatingsite.
178IntheNetherlands,therehavenotbeenanycomparablecasesthusfar.
3131Table2ActorsandtheirintentionsActorsIntentionsProfessionalcriminalsFinancialgain(directlyorindirectly)StateactorsImprovinggeopolitical(orinternal)positionofpowerTerroristsBringingaboutchangesinsociety,seriouslyfrighteningthepopulationorinfluencingpoliticaldecision-makingCybervandalsandscriptkiddiesDemonstratingvulnerabilities,hackingbecauseitispossible,forfun,lookingforachallengeHacktivistsIdeologicalmotivesInternalactorsRevenge,financialgain,ideologicalmotives(possibly'driven')CyberresearchersDemonstratingweaknesses,ownprofilingPrivateorganisationsObtainingvaluableinformationPersonaldataisanincreasinglyattractivetargetforvariousactorsInrecentmonths,therehavebeenseveralreportsintheinternatio-nalmediaonthetheftand/orpublicationofpersonaldata.
Oftenthisinvolvesdatafrompublicsourceswhichcanbefoundontheinternet,butalsodatafromprotecteddatabasesareattractivetargetsforattackers.
Thetargetedcollectingandthenplacingontheinternetofpersonaldatawithouttheconsentoftheownerisalsoknownas'doxing.
'Althoughnotallthecollecteddatawillalwaysbereleasedonline,personaldataformanattractivetargetforvariousactors.
Stateactorsaretypicallyfocusedonpersonaldataofgovernmentemployeesforsuspectedespionagepurposes.
Inthemedia,thereisthepredominantimagethatastateactoris,forexample,responsibleforthehackontheUnitedStatesOfficeofPersonnelManagement(OPM),duringwhichthepersonaldataofmorethan21milliongovernmentemployeesweresaidtohavebeenstolen.
179Thestolendatawerenevermadepubliconline.
Itiscurrentlynotknownhowexactlythisdataisbeingmisused.
Criminalscollectdatainordertoattempttoexploitthemforfinancialgain.
Notonlyarepersonalandpaymentdatapopularproducts,butalsomedicaldataandaccountinformation.
ApreviouslymentionedexampleisthehackonAshleyMadison.
180Jihadistgroupsregularlyclaimtohavestolensensitivedataandpersonaldatafromgovernmentsystemsandthenpublishthemontheinternet.
Often,however,thisinformationispubliclyavailableinformationwhichjihadistsupportersmayhaveobtainedbyperformingtargetedsearchesforgovernmentdataontheinternet.
Hacktivistsstealandpublishpersonalandbusinessinformationforideologicalreasons.
Althoughitisdifficulttoidentifytherealmotives,publishingsensitivebusinessorpersonalinformationisoftenaccompaniedbyanideologicaljustification.
Here,itisnotcertainwhetherthisclaimwastherealreasonforthedatatheft.
3232ConclusionandlookingaheadCriminalsandstateactorsarestillthegreatestdigitalthreattonationalsecurity.
Digitalattackscarriedoutbytheseactorsarethemostsophisticatedandtendtohavethegreatestimpactonvictimsandsociety.
Withstateactors,thereisanevolvingdivisionoflabourandspecialisation.
Themethodisincreasingincomplexity,attackersarebecomingmoreresourcefulandaredevelopingeverbetterwaystopreventtheproblemofidentificationandattribution.
Thecriminals'revenuemodelscontinuetobesuccessfulandhaveprovedpopularinthepastyear.
Ransomwarewillbefurtherexpandedinthefutureandusedinamoretargetedmanner.
Here,hospitalsandhealthcareinstitutionsarepopulartargets.
Besidesthefurtherdevelopmentofexistingbusinessmodels,criminalsaremoreoftenmodellingtheirattackstotheirintendedvictim.
Thepastyearhasseenanumberofmajorcampaigns,provingthatprofessionalcriminalsareexpandingtheirareaofactivity.
Groupsofprofessionalcriminalshaveahighdegreeoforganisationandconductsophisticatedcampaigns.
Investmentsinsuchcampaignsarehighbutthisseemstobepayingoff:theproceedsfromtheknowncasesarehigh.
Jihadistsstillgeneratealotofmediaattentionwithsmall-scaledigitalattackswhichrequirelittleknowledgeorskill.
Althoughthedigitalcapabilitiesofjihadistscontinuetogrow,theyhave,thusfar,neverstagedanattackwithdigitaltools.
Theexpectationisthat(small-scale)attackswithjihadistmotiveswillincreaseinnumberandthatjihadistswillbecomemoreinvolvedinthepublicationofpersonaldata.
Recently,hacktivistshavebeenmorefocusedonpublishingsensitivebusinessorpersonalinformation(withouttheconsentoftheowner).
Theftand/orpublicationofpersonaldataare,however,notonlyattractiveforhacktivists.
Alsocybervandals,scriptkiddies,criminals,jihadistsandstateactorsfocus,forvariousreasons,onstealingthesedata.
Thistrendwillcontinueinthefuture.
Thethreatfromcybervandalsandscriptkiddiesisincreasing.
Thereasonforthisincreaseis,primarily,thegrowingavailabilityofaccessibletoolsfordigitalattacks.
Theavailabilityandaffordabilityofcybercrime-as-a-servicealsoplayarolehere.
Asaresult,anincreasingnumberofpeopleareabletocarryouttheseattacks.
Itisexpectedthat,inparticular,DDoSattackswillincreaseinnumber.
Intheareaofinternalactorsandprivateorganisations,thereisnoindicationthatthethreathaschangedcomparedtothepreviousreportingperiod.
Intheseactors,aswell,nonewtrendsorphenomenahavebeenobservedwhichposethreats.
Threatsposedbycyberresearcherswillprobablyfurtherdecreaseduetoanumberoftrends.
51https://www.
om.
nl/vaste-onderdelen/zoeken/@94086/groot-crimineel/,consultedon13July2016.
52http://www.
nrc.
nl/next/2016/04/21/informatieschat-op-criminele-gsms-1614033,consultedon13July2016.
53https://www.
europol.
europa.
eu/latest_news/iocta-2015-europol-annual-report-cybercrime-threat-landscape-published54http://arstechnica.
com/security/2016/02/la-hospital-latest-victim-of-targeted-crypto-ransomware-attack/,consultedon4July2016.
55http://blog.
trendmicro.
com/trendlabs-security-intelligence/businesses-held-for-ransom-torrentlocker-and-cryptowall-change-tactics/,consultedon4July2016.
56Source:Fox-IT.
57https://www.
technologyreview.
com/s/600838/hollywood-hospitals-run-in-with-ransomware-is-part-of-an-alarming-trend-in-cybercrime/,consultedon4July2016.
58http://arstechnica.
com/security/2016/03/kentucky-hospital-hit-by-ransomware-attack/,consultedon4July2016.
59https://www.
security.
nl/posting/461521/Amerikaans+ziekenhuis+betaalt+17_000+dollar+aan+ransomware,consultedon4July2016.
60http://www.
theregister.
co.
uk/2016/02/15/ransomware_scum_tear_up_tinsel_town_hospital_demand_record_36m/,consultedon4July2016.
61http://www.
securityweek.
com/cybercriminals-encrypt-website-databases-%E2%80%9Cransomweb%E2%80%9D-attacks,consultedon4July2016.
62https://www.
security.
nl/posting/464735/FBI+waarschuwt+voor+ransomware-aanval+die+back-ups+wist,consultedon4July2016.
63http://securityaffairs.
co/wordpress/41775/cyber-crime/protonmail-paid-ransom-ddos.
html,consultedon4July2016.
64http://www.
computerweekly.
com/news/4500246707/DD4B-cyber-extortion-gang-targets-key-European-sectors,consultedon4July2016.
65https://blogs.
akamai.
com/2015/05/dd4bc-escalates-attacks.
html,consultedon4July2016.
66https://blogs.
akamai.
com/2015/11/operation-profile-armada-collective.
html,consultedon4July2016.
67http://news.
softpedia.
com/news/unknown-copycat-using-armada-collective-name-for-ddos-for-bitcoin-extortions-497297.
shtml,consultedon4July2016.
68http://www.
securityweek.
com/dd4bc-armada-collective-inspire-cyber-extortion-copycats,consultedon4July2016.
69SeeChapter1forfurtherexplanationofthehackonAshleyMadison.
70http://www.
zdnet.
be/nieuws/171086/hackers-chanteren-ashley-madison-gebruikers/,consultedon4July2016.
Notes333371http://tweakers.
net/nieuws/104536/hackers-zetten-inloggegevens-van-bitdefender-klanten-online.
html,consultedon4July2016.
72http://tweakers.
net/nieuws/104290/rex-mundi-heeft-financiele-gegevens-duizenden-belgen-buitgemaakt.
html,consultedon4July2016.
73http://nos.
nl/op3/artikel/2011495-hacker-s-rex-mundi-al-drie-jaar-een-etterende-wond.
html,consultedon4July2016.
74http://www.
csoonline.
com/article/2931535/data-leak/check-point-reports-explosion-in-unrecognizeable-malware.
html,consultedon4July2016.
75Source:police.
76https://www.
security.
nl/posting/434682/Bouwdoos+van+malware+die+Nederlandse+banken+aanviel+gelektchannel=rss,consultedon4July2016.
77https://securityintelligence.
com/tinba-worlds-smallest-malware-has-big-bag-of-nasty-tricks/,consultedon4July2016.
78Source:police.
79Source:police.
80Source:police.
81http://arstechnica.
com/security/2016/01/researchers-uncover-javascript-based-ransomware-as-service/,consultedon4July2016.
82https://www.
security.
nl/posting/438203/Organisatie+luidt+noodklok+over+malware-video%27s+op+YouTube,consultedon4July.
2016.
83http://feeds.
webwereld.
nl/~r/Webwereld/~3/AzkSM1zMpUo/88019-open-source-ransomware-vrijelijk-beschikbaar-op-github,consultedon4July2016.
84Source:police.
85Source:police.
86http://tweakers.
net/nieuws/108009/verspreiding-financiele-dyre-malware-gestopt-door-russische-autoriteiten.
html,consultedon4July2016.
87Source:police.
88Source:interviewwithMichelvanEeten.
89https://www.
secureworks.
com/resources/rp-2016-underground-hacker-marketplace-report,consultedon4July2016.
90https://www.
secureworks.
com/resources/rp-2016-underground-hacker-marketplace-report,consultedon4July2016.
91https://www.
secureworks.
com/resources/rp-2016-underground-hacker-marketplace-report,consultedon4July2016.
92Source:policeandhttps://blogs.
sophos.
com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/,consultedon4July2016.
93http://www.
drchaos.
com/sweet-orange-web-exploit-kit/,consultedon4July2016.
94http://news.
softpedia.
com/news/New-MS-Word-Exploit-Kit-Adds-Statistics-Tool-to-Track-Success-of-the-Campaign-477568.
shtml,consultedon4July2016.
95Source:police.
96Source:police.
97Source:AIVDandMIVD.
98Source:AIVDandMIVD.
99Source:AIVDandMIVD.
100http://www.
nytimes.
com/2016/01/15/world/middleeast/a-news-agency-with-scoops-directly-from-isis-and-a-veneer-of-objectivity.
html_r=0,consultedon4July2016.
101http://www.
mirror.
co.
uk/news/technology-science/technology/hidden-isis-android-app-lets-6203483,consultedon4July2016.
102http://securityaffairs.
co/wordpress/24978/cyber-crime/al-qaeda-encryption-tools.
html,consultedon4July2016.
103http://www.
csoonline.
com/article/3004648/security-awareness/after-paris-isis-moves-propaganda-machine-to-darknet.
html,consultedon4July2016.
104http://www.
tandfonline.
com/doi/abs/10.
1080/00396338.
2016.
1142085,consultedon4July2016.
105https://www.
security.
nl/posting/466258/Onderzoek%3A+terroristen+nauwelijks+aanwezig+op+Tor-netwerk,consultedon4July2016.
106http://www.
thedailybeast.
com/articles/2015/03/23/isis-hackers-googled-their-hit-list-troops-names-were-already-on-public-websites.
html,consultedon4July2016.
107http://www.
dataleakes.
net/feds-charge-ardit-ferizi-aka-th3dir3ctory-with-creating-hit-list-of-american-military-govt-employees-for-isis/,consultedon4July2016.
108http://www.
nu.
nl/internet/4106100/zet-informatie-1400-amerikaanse-militairen-en-ambtenaren-online.
html,consultedon4July2016.
109http://www.
dataleakes.
net/jihadist-leaks-addresses-of-army-sgt-dillard-johnson-navy-seal-rob-oneill/,consultedon4July2016.
110http://www.
ubergizmo.
com/2015/12/islamic-cyber-army-responds-to-isis-day-of-trolling/,consultedon4July2016.
111https://ent.
siteintelgroup.
com/Dark-Web-and-Cyber-Security/site-6-1-15-ishd-calls-for-attacks-on-10-italian-army-personnel.
html,consultedon4July2016.
112http://www.
telegraaf.
nl/binnenland/26069079/__74_Nederlanders_op_dodenlijst_IS__.
html113Source:AIVDandMIVD.
114https://ent.
siteintelgroup.
com/index.
phpoption=com_customproperties&view=search&task=tag&tagId=787&Itemid=1355,consultedon4July2016.
115http://www.
washingtontimes.
com/news/2016/mar/15/islamic-state-hackers-post-kill-list-minnesota-cop/,consultedon4July2016.
116http://www.
techworm.
net/2015/09/isis-affiliates-to-launch-cyber-attacks-on-united-states-to-celebrate-911.
html,consultedon4July2016.
117http://abcnews.
go.
com/US/fbi-warns-isis-inspired-cyber-attacks-911-anniversary/storyid=33684413,consultedon4July2016.
118SITEIntelGroup,Pro-ISHackersForwardPurportedInfoofMilitaryPersonnelProminentGovernmentFigures,21November2015.
119http://www.
ibtimes.
co.
uk/isis-cyber-army-grows-strength-caliphate-hacking-groups-merge-telegram-1553326,consultedon4July2016.
120http://observer.
com/2016/06/false-flags-the-kremlins-hidden-cyber-hand/,consultedon4July2016.
3434121http://www.
nu.
nl/internet/4173614/anonymous-hackt-ijslandse-overheidswebsites-walvisvangst.
html,consultedon4July2016.
122http://spd.
rss.
ac/aHR0cDovL25ld3Muc29mdHBlZGlhLmNvbS9uZXdzL2Fub255bW91cy1oYWNrcy11cy1kZXBhcnRtZW50LW9mLWFncmljdWx0dXJlLXR-vLXByb3Rlc3QtYWdhaW5zdC1tb25zYW50by00OTU4NTUuc2h0bWw,consultedon4July2016.
123http://www.
rcfp.
org/browse-media-law-resources/news/online-attacks-against-media-websites-are-increasing-and-costly,consultedon4July2016.
124https://www.
hackread.
com/anonymous-ddos-zimbabwe-herald-website/,consultedon4July2016.
125http://www.
scmagazineuk.
com/anonymous-attacks-two-japanese-airports/article/447817/,consultedon4July2016.
126http://www.
bbc.
com/news/technology-35306206,consultedon4July2016.
127http://www.
ibtimes.
co.
uk/anonymous-hackers-threaten-reveal-identities-1000-ku-klux-klan-members-opkkk-1525758,consultedon4July2016.
128http://www.
nu.
nl:80/internet/4157261/anonymous-begint-met-publiceren-namen-ku-klux-klanleden.
html,consultedon4July2016.
129https://ent.
siteintelgroup.
com/Dark-Web-and-Cyber-Security/anonsec-allegedly-hacks-israel-missile-defense-association.
html,consultedon4July2016.
130http://tweakers.
net/nieuws/109245/hackers-stelen-gegevens-van-anti-ddos-dienstverlener-staminus.
html,consultedon4July2016.
131https://www.
theguardian.
com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-to-repressive-regimes-documents-claim,consultedon4July2016.
132http://www.
ibtimes.
co.
uk/nasa-hack-anonsec-attempts-crash-222m-drone-releases-secret-flight-videos-employee-data-1541254,consultedon4July2016.
133http://news.
softpedia.
com/news/anonymous-announces-payback-for-the-isis-paris-attacks-496184.
shtml,consultedon4July2016.
134http://www.
independent.
co.
uk/life-style/gadgets-and-tech/news/paris-attacks-anonymous-launches-its-biggest-operation-ever-against-isis-promi-ses-to-hunt-down-a6735811.
html,consultedon4July2016.
135http://www.
eteknix.
com/major-isis-messaging-forum-taken-anonymous/,consultedon4July2016.
136http://www.
zdnet.
com/article/isis-supporter-cyber-caliphate-takes-over-54000-twitter-accounts/#ftag=RSSbaffb68,consultedon4July2016.
137http://www.
rtlz.
nl/tech/anonymous-haalt-website-trump-offline-verspreid-geen-haat,consultedon4July2016.
138http://grapevine.
is/news/2015/11/28/anonymous-shuts-down-almost-all-icelandic-govt-websites-for-13-hours/,consultedon4July2016.
139http://nos.
nl/artikel/279137-anonymous-verklaart-de-oorlog-aan-wall-street.
html,consultedon4July2016.
140http://edition.
cnn.
com/2015/11/06/europe/uk-anonymous-london-march/,consultedon4July2016.
141http://news.
softpedia.
com/news/anonymous-hacks-european-space-agency-just-for-fun-497551.
shtml,consultedon4July2016.
142http://nos.
nl/artikel/2052851-weer-urenlange-storing-bij-ziggo-door-ddos-aanval.
html,consultedon4July2016.
143http://www.
volkskrant.
nl/tech/volkskrant-nl-kort-uit-de-lucht-door-ddos-aanval~a4125596/,consultedon4July2016.
144Source:police.
145SeeTable2forpricesonundergroundmarketplaces.
146http://www.
volkskrant.
nl/economie/ddos-aanval-op-ziggo-klanten-blijkt-letterlijk-kinderspel~a4158438/,consultedon4July2016.
147http://www.
volkskrant.
nl/tech/volkskrant-nl-kort-uit-de-lucht-door-ddos-aanval~a4125596/,consultedon4July2016.
148https://www.
theguardian.
com/technology/2015/oct/19/cia-director-john-brennan-email-hack-high-school-students,consultedon4July2016.
149http://www.
theguardian.
com/us-news/2016/jan/13/hacker-breaks-into-personal-email-of-us-director-of-national-intelligence,consultedon12July2016.
150https://www.
washingtonpost.
com/world/national-security/british-teen-arrested-in-hacking-of-top-us-intelligence-officials/2016/02/12/7b87351e-d1a5-11e5-b2bc-988409ee911b_story.
html,consultedon12July2016.
151http://www.
nu.
nl/internet/4213760/britse-politie-arresteert-tiener-fbi-hack.
html,consultedon12July2016.
152http://tweakers.
net/nieuws/104593/dota-2-gametoernooi-tijdelijk-stilgelegd-vanwege-ddos-aanval.
html,consultedon12July2016.
153http://news.
softpedia.
com/news/phantom-squad-starts-christmas-ddos-attacks-by-taking-down-ea-servers-498078.
shtml,consultedon12July2016.
154http://www.
csmonitor.
com/World/Passcode/2015/1224/Lizard-Squad-plans-Christmas-Day-encore-with-Xbox-PlayStation-attacks,consultedon12July2016.
155http://www.
engadget.
com/2015/12/30/steams-christmas-privacy-issues-affected-34-000-users/,consultedon12July2016.
156http://www.
bloomberg.
com/news/articles/2015-01-26/malaysia-air-website-hacked-with-phrase-isis-will-prevail-,consultedon12July2016.
157http://www.
ad.
nl/ad/nl/1012/Nederland/article/detail/4125550/2015/08/20/De-Volkskrant-getroffen-door-hackeraanval.
dhtml,consultedon12July2016.
158http://www.
bignewsnetwork.
com/news/239915393/anti-isis-hackers-say-they-took-down-bbc-website-during-testing,consultedon12July2016.
159http://www.
emerce.
nl/nieuws/alleen-nederlanders-achter-aanval-ziggo,consultedon12July2016.
160http://www.
techworm.
net/2015/12/hacking-group-skidnp-takes-down-phantom-squads-website.
html,consultedon12July2016.
161https://www.
security.
nl/posting/462079/Ontslagen+systeembeheerder+saboteert+fabriek,consultedon12July2016.
162http://www.
newsobserver.
com/news/business/article32944404.
html,consultedon12July2016.
163https://www.
security.
nl/posting/440098/Jumbo-medewerker+hackte+bijna+honderd+bedrijfslaptops,consultedon4July2016.
164http://tweakers.
net/nieuws/104706/indiase-visumverstrekker-bls-liet-gegevens-nederlandse-aanvragers-uitlekken.
html,consultedon4July2016.
165http://sijmen.
ruwhof.
net/weblog/608-personal-data-of-dutch-telecom-providers-extremely-poorly-protected-how-i-could-access-12-million-re-cords,consultedon4July2016.
166http://webwereld.
nl/security/90837-esa-wachtwoorden-zo-simpel-als-123,consultedon4July2016.
167https://www.
ncsc.
nl/actueel/nieuwsberichten/leidraad-responsible-disclosure.
html3535168http://www.
wired.
co.
uk/news/archive/2016-03/02/hack-the-pentagon-bug-bounty,consultedon4July2016.
169https://hackerone.
com/gm170https://hackerone.
com/internet-bug-bounty171https://hackerone.
com/abnamro172https://hackerone.
com/dnb_nl173https://hackerone.
com/ing174https://hackerone.
com/foxit175https://hackerone.
com/gammanl176https://www.
security.
nl/posting/453200/IT-directeur+Amerikaans+bedrijf+hackte+server+concurrent,consultedon4July2016.
177https://nakedsecurity.
sophos.
com/2016/01/12/ex-cardinals-exec-yes-i-hacked-rival-astros-database/,consultedon4July2016.
178http://krebsonsecurity.
com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/,consultedon4July2016.
179https://www.
washingtonpost.
com/news/the-switch/wp/2015/07/15/the-opm-leak-exposed-more-than-a-million-fingerprints-heres-why-that-terrible-news/,consultedon4July2016.
180http://www.
zdnet.
be/nieuws/171086/hackers-chanteren-ashley-madison-gebruikers/,consultedon4July2016.
3636Advertisingnetworkshavenotyetshowntheabilitytocopewithmalvertising37373Threats:ToolsActorscontinuetoexpandtheeffectivenessofexistingtools.
Forinstance,makersofransomwarearecontinuallyincreasingthepressuretheyputonvictims.
Malwareandcommunicationsbymalwarecanbehiddenbetterandbetter.
Theamountofnewmalwareformobileplatformsisalsoincreasing.
Actorstrytoinfecttrustedsourcesandadvertisingnetworksinordertobeabletospreadmalware.
Thedevelopmentofready-maderesourcesandcybercrime-as-a-serviceiscontinuing.
Whencarryingoutdigitalattacks,actorsmakeuseoftoolstoexploitorenhancevulnerabilities.
Thischapterdiscussesthesetoolsandthemethodsused.
MalwareRansomwareremainsamajorproblemIntheCSAN2015,ransomwarewasalreadyreferredtoasagrowingproblem.
Thefurtherdevelopmentanddisseminationofransomwareiscontinuing.
Newvariantsofransomwareappearfrequentlyandtheproceedsthatcriminalsareabletogeneratearehigh.
Inalmostallcases,allofthevictim'sfilesareencryptedandthusmadeinaccessible.
Onlyifthevictimpaysistheencryptionundone.
Inexceptionalcases,thevictimsgetlucky.
Sometimes,thekeycanberetrievedbyanimplementationerrorintheencryptionorbyroundinguptheinfrastructureofthecryptoware.
Thenthefilescanbedecryptedfreeofcharge.
IntheNetherlands,too,developersofcryptowarehaveproventobeactive.
Forexample,twoDutchcitizenswerearrestedwhoweresuspectedofmakinganddistributingtheCoinvaultcryptoware.
181Figure1ReportsofransomwareintheNetherlands182BitCrypter1%Cryptolocker8%Cryptowall6%CTB-Locker11%Locky6%Unknownransomware68%Source:police.
3838Ransomwareisaffectinganincreasingnumberofplatformsthathadpreviouslynotbeenbotheredbyit.
Forexample,MacOSX,isnowaffectedbytheKeRangerransomware.
183Asmoreeverydaydevicesbecomeequippedwithprocessorsandconnectivity,theriskofaransomwareinfectionforsuchdevicesisincreasing.
Forinstance,thenumberofransomwareinfectionsonAndroidisalsoincreasing.
184Symantechasconductedaproof-of-conceptwithransomwarethatcouldinfectasmart-watchviaasmart-phonetowhichitwasconnected.
185Thereisnowalsoaproof-of-conceptofransomwarethatcaninfectsmartTVs.
186Ransomwareisnotonlyusedagainstend-users'systemsbutalsodirectlyagainstservers.
Thisisdonebyexploitingvulnerabilitiesonthoseservers.
187Inthisway,theserveritselfcanbetakenhostage.
Theservercanalsobeusedtogainafootholdwithinthenetworkofanorganisation.
Fromthere,furtheractioncanbetaken.
188Inthisway,theattackercanexplorewhich(network)disksorfilesarethemostvaluable.
Thesecanlaterbeencrypted.
Then,thehighestpossibleransomcanbedemanded.
189Asinpreviousyears,inthepastyear,ransomwarewasfoundthatencryptedbackupfiles,190networkdrivesanddatabases.
Criminalsalsothreatenedtopublishpersonaldataiftheywerenotpaid.
191Itisunclearwhetherthisactuallyhappened.
SpreadingmalwarebyinfectingtrustedsourcesIfmobiledeviceusersinstallsoftwaresolelyfromlegitimatesources,suchastheApple,GoogleandMicrosoftappstores,theyrunalowerriskofavirusormalwareinfection.
Althoughchecksarecarriedout,appstoresarenotfreefrommalware.
Actorstrytospreadmalwarebyusingthetrustthatusershaveinthesechannels.
Awateringholeattackisanexampleofsuchastrategy.
Thereareseveralmethodstoinfectlegitimatesoftwarewithmalware.
Firstofall,thesoftwarevendor'swebsitecanbecompromised.
Themalwareisprocessedintothesoftwareofferedonthewebsiteandthendownloadedbyusers.
ExamplesarethewebsitesofLinuxMint192andTransmission193.
Bothwerecompromisedandthesoftwarewasdistributedwithmalware.
Insomecasesthesoftwarewasalsodigitallysignedwithstolensecretkeymaterial.
Thisenablesthesoftwaretobetrustedbytheoperatingsystem.
194Anothermethodistoinfectdevelopmentenvironments(integrateddevelopmentenvironments,IDE)andcompilers,whichareusedtomakeprogramsandappstoconvertprogramcodeintosysteminstructions.
InChina,infectedcopiesoftheAppleXcodeIDEhavebeendisseminated.
ThisversionisknownasXcodeGhost.
Allofthelegitimateappsdevelopedwiththisautomaticallyhadmalwareincluded.
Thus,theycouldendupinfectedintheAppleAppStore.
195Ultimately,thisaffecteddozensofappsthatwereusedbyatotalofhundredsofmillionsofpeopleworldwide.
196Morethan36,000Dutchpeoplearesaidtohavebeenaffectedbyoneofthebogusapps.
197Finally,itisalsopossiblethatnewequipmentalreadyhasmalwareinstalled.
Thisisaphenomenonthathasbeengoingonformanyyearsandstilloccurs.
198Theinfectioncanevenoccuratthemanufactureritself,orbecausedbyresellerswhopurposefullysupplyequipmentwithmalware.
ThisdevelopmentwasparticularlyvisibleinAndroidtelephonesandtabletsfromChina.
199Replicaproducts,inparticular,haveanincreasedriskofmalwareinfection.
TheamountofmalwareformobileplatformsisincreasingMobiledevices,suchassmartphonesandtablets,aretakinganevermorecentralpositioninthedailylivesofusers.
Theyarebeingusedforanincreasingnumberof(financial)activities.
Manymanufacturersofmobiledevicesoftenprovideupdatesforonlyalimitedperiod.
Thismakeslargegroupsofusersvulnerabletonewlyfoundvulnerabilities.
Figure2RansomwareinfectionsreportedtotheNCSCCTB36%Cryptolocker15%TeslaCrypt6%Alpha-Crypt4%CoinVault4%CryptoWall4%Locky4%Crowti2%encryptoraas2%nemucod2%Unknown21%Source:NCSC.
PeriodfromJanuary2015throughApril2016.
3939AV-Test'sfiguresshowthatthenumberofnewAndroidmalwaresamplesmorethantripledintheperiodfromJanuary2015toMarch2016.
Also,theshareofnewAndroidmalwarewithinthetotalofnewmalwarehasmorethantripledandnowcomesto6.
8percent.
Thisshowsthatthemobileplatformsareanincreasinglyattractivetargetformalware.
Thegrowthofthenumberofuniquemalwaresamplesforallplatforms,includingmobileplatforms,fluctuatedgreatlyin2015.
Forexample,astronggrowthinthenumberofuniquemalwaresamplescouldbeseeninthesecondquarterof2015.
Forthetimebeing,itseemsthatinfectionofmobiledevicesmainlytakesplaceviabogusappsinthealternativeappstores,infectionofjailbrokendevicesandinfectionofdevelopmentenvironments(suchasXcodeGhost).
Itisnotknownhowmostinfectionstakeplace.
Acauseofinfectioncanalsoliewithintherelationalsphere.
Anacquaintancetheninstallsspywareonthedeviceofsomeonehe/sheknows.
200AlthoughtheamountofmalwareforiOSisrelativelylow,itisgrowingsteadilyiOSsystemsremaingenerallyresistanttomalware,butthenumberofattackvectorsusedandtheamountofmalwaretargetingthesesystemsisincreasing201ThebiggestriskiswhenaniOSdeviceisjailbrokenbytheuser.
Asaresult,appsfromanuntrustedsourceareallowed.
Also,non-jailbrokeniOSdeviceshave,inthepast,provedvulnerable.
Thisdevelopmentiscontinuing.
Earlierinthischapter,theuseofacompromisedversionofXcodewasdiscussed.
TheappsdevelopedwiththishadmalwareincludedthatultimatelyendedupintheAppleAppStore.
AnothercaseinvolvingmalwarethatcamewithiOSappswasanad-librarythatwasusedinmanyiOSapps.
ThismadeitpossibletoobtainsensitiveinformationfromtheiOSdevice.
202Inaddition,thereismisuseofthepossibilityforcompaniestoinstallapplicationsoutsideoftheAppleAppStoreoniOSdevices(enterpriseprovisioning).
Theseappsareoftensignedwithstolendigitalcertificatesorcertificatesfromlessreliabledevelopers.
Forinfection,itisnecessarythattheuseragreeswiththeinstallationoftheapplicationandconnectstheiOSdevicetoacomputer.
AnothermethodusedistheseducingofuserstoinstallaprofileformobiledevicemanagementonaniOSsystem.
SuchaprofilemakesitpossibletocontroliOSdevicesremotelywithinbusinessenvironments.
Attackerswhomanagetohavetheuserinstallsuchaprofile,canredirectnetworktraffictoasystemthatiscontrolledbytheattacker.
Theattackercantheninstallapplicationsremotely.
203AnewdevelopmentisthatmalwarecanactivelyusevulnerabilitiesiniOStoinstallitselfwithoutanexplicituseractionontheiOSdevicebeingrequired.
OneexampleistheAceDeceivermalware.
Thisstill,bytheway,requiresaUSBconnectiontoaninfectedcomputerinorderfortheiOSdevicetobeinfected.
204WithAndroidmalware,theuseofoverlaysisamorecommonmeansofstealinglogininformationfromusers.
205Usersthinktheyareusingalegitimateapp,butthemalwarestealstheuser'sscreeninput.
3.
000.
0002.
500.
0002.
000.
0001.
500.
0001.
000.
000500.
000050.
000.
00045.
000.
00040.
000.
00035.
000.
00030.
000.
00025.
000.
00020.
000.
00015.
000.
00010.
000.
0005.
000.
0000Q12012Q22012Q32012Q42012Q12013Q22013Q32013Q42013Q12014Q22014Q32014Q42014Q12015Q22015Q32015Q42015Q12016Figure3NumberofnewuniqueAndroidmalwaresamplesFigure4NumberofnewuniquemalwaresamplesQ12012Q32012Q12013Q32013Q12014Q32014Q12015Q32015Q12016OtheruniquemalwaresamplesNumberofnewuniqueAndroidmalwaresamplesSource:AV-Test.
Source:AV-Test.
4040ToolsExploitkitscontinuetobedevelopedTherearesoftwaredeveloperswhoofferready-to-useanduser-friendlyexploitkitstoinfectuserswithmalware,suchastheAnglerexploitkit.
Anotherwell-knownexploitkitisBlackEnergy.
ThisisassociatedwithdisruptionsatUkrainianpowerplants.
206Therearenotonlyexploitkitsforregularcomputers,butalsofordevicessuchasrouters.
207Exploitsforexploitingvulnerabilitiescanalsobeincludedwiththeexploitkit,butnewexploitscanalsobepurchasedfromathirdparty.
86percentoftheexploitsthatareusedinexploitkitstakeadvantageofavulnerabilityinFlashPlayer.
208Exploitsforvulnerabilitiesaretradedontheinternet,bothonundergroundforums209andbycommercialcompanies.
210Inparticular,so-calledzero-dayvulnerabilities,vulnerabilitiesofwhichthepublicstillisnotaware,aretradedforlargeamounts.
Thenumberofpublishedzero-dayvulnerabilitiesrosesharplyin2015.
211Thereisnoclearexplanationforthis.
Whenabuseofzero-daysisdetectedandbecomesknown,anupdategenerallybecomesavailable.
Ofthe54knownzero-daysin2015,fourAndroid,tenAdobeFlashPlayer,sixMicrosoftWindows,twoInternetExplorer,twoMicrosoftOfficeandtensoftwareforindustrialcontrolsystemswereaffected.
Theotherzero-dayswereforothersoftware.
212Figure5Shareofvariousexploitkitsin2015Figure6Totalnumberofknownzero-dayexploitsperyear60504030201002006200720082009201020112012201320142015Angler40%Nuclear18%RIG12%Magnitude11%Nuetrino11%SweetOrange4%Fiesta2%CK1%Sundown1%Source:Trustwave.
Source:Symantec.
4141Inadditiontotheabove-namedparties,therearepartiesthatfocusonthedevelopmentofransomwareorabankingtrojantoconmoneyfromvictims.
Otherwell-knownalternativesareRATs.
Theseallowfor,amongotherthings,informationfromthevictim'ssystemtobestolen.
Thenumberofpublishedexploitsperquarterremainedconstant,afterastrongdeclinein2012.
However,anupwardtrendisagainobservablein2015.
RemoteAccessToolscontinuetobeapopulartoolforcybercrimeRATsremainapopulartoolbecauseoftheirwideapplicabilitytoenabledifferenttypesofcrime.
Becauseanattackertakesovervirtuallyallfeaturesanormaluseralsohasavailableonthesystem,therearemanyattackpossibilities.
ThedevelopmentofRATsiscontinuing.
Forexample,thereareRATsthatworkonvariousoperatingsystemswithouthavingtobeadjusted.
213ARATcanbepurchasedonundergroundmarketplacesstartingforaslittleas$5.
214RATshave,inthepastyear,onceagainproventobeanaccessibleandversatiletoolforactors.
Figure7NumberofpublishedexploitsperquarterQ12012Q22012Q32012Q42012Q12013Q22013Q32013Q42013Q12014Q22014Q32014Q42014Q12015Q22015Q32015Q42015Q120167006005004003002001000Source:Exploit-DB.
4242Denial-of-ServiceattacksAttackerscontinuetodiscovernewamplificationmethodsAttackerscontinuetodiscovernewmethodstomakeaDDoSattackaseffectiveaspossiblebyincreasingtheamountofdatasenttothevictim.
Themainmethodhereisamplification.
Withthis,attackerssendoutasmallrequesttoaservice,withaforgedsenderaddressthatisthesameastheaddressofthevictim.
Thisisfollowedbyalarge-scaleanswer.
Therequiredlevelofknowledgeandskillsforanattackerislimitedbecauseofthenumberofaccessiblewebsites(booterservices)thatofferDDoS-as-a-service.
215ThistrendfromthepreviousCSANiscontinuing.
Duringthepastyear,aswell,attackershavecontinuedtosearchfornewformsofamplification.
AmplificationattackshavebeenobservedbyabuseofNetBIOS,RPC,Sentinel216,RPCPortmapper217,DNSSEC219,TFTP219,Bittorrent220enRIPv1221.
Thisshowsthatverydifferentnetworkservicesandassociatedprotocolsaresusceptibletoabuse.
Thisincludesservicesforfiletransfer,domainnamesandrouting.
Manyoftheabusedprotocolsarenotnew.
Attackershavefound,intheseoldprotocols,previouslyunknownpossibilitiestoexploitthemforamplificationattacks.
Devicesconnectedtotheinternet,suchasrouters,IPcameras,networkharddrivesandnetworkprintersarealsomisusedtocarryoutDDoSattacks.
222Thesedevicesareoftentakenoverbecausethemanagementsystemisaccessibleviatheinternetandlacksastrongpassword.
Atthesametime,simplythefactthataserviceisavailableonsuchadeviceviatheinternetcanbeexploitedtocarryoutanattack.
Withtheincreaseofthenumberof(unmanaged)devicesconnectedtotheinternet,thisproblemislikelytoincrease.
Size,volumeanddurationofDDoSattacksareagainbreakingrecordsFromreportsofDDoSattacksworldwide,itappearsthatrecordshavebeenbrokenagain.
Thelargestreportedattacksinvolved500gigabitspersecond.
223Attacksofthismagnitude,however,remainexceptional.
Inadditiontotheextentoftheattack,asexpressedingigabitspersecond,andthedurationoftheattack,itisthevolume-thenumberofpacketsthatissentpersecond-thatisrelevanttotheimpactoftheattack.
224Processinglargenumbersofpacketssometimeshasagreaterimpactonroutersandothernetworkdevicesthantheprocessingofanattackthatislargeinsizeandforwhichmuchbandwidthisrequired.
Attackswithmanypacketspersecondrequiremorememoryinnetworkingequipment.
Asaresult,otherconnectionsarenotsetuporsetupwithadelay.
ThevolumeofDDoSattacksisexpressedinmillionsofpacketspersecond.
Figure8SizeofDDoSattacks20GbpsQ42014Q12015Q22015Q32015Q4201580%70%60%50%40%30%20%10%0Source:Nationalanti-DDoSWash(NaWaS)oftheNationalManagementOrganisationofInternetProviders(NBIP).
4343FiguresfromtheNationalAnti-DDoSWash(NaWas)oftheNationalManagementOrganisationofInternetProviders(NBIP)showthat,withrespecttothesizeoftheattacksonthepartiesaffiliatedwiththem,therelativedistributionhasbasicallyremainedthesame.
The1-10Gbpsrangecontinuestorepresentthemajority.
Attacksofmorethan20Gbpsremainanexception.
MostattacksonparticipantsintheNaWasremainshort-lived,lessthanfifteenminutes.
Inabout10percentofthecases,theattackslastmorethananhour.
WithrespecttothevolumeofattacksonparticipantsintheNaWas,nodataisavailable.
Obfuscation:hidingcriminalactivityMalwarecanbehiddenincreasinglybetterAttackerswhowanttousemalwaretostealinformationfromthevictim'ssystem,haveaninterestinconcealingthismalware.
Thisalsoappliestoerasingalltracesifthemalwareis,nonetheless,detected.
Varioustechniquesareusedtoachievethisgoal.
TheUSBthiefmalwareworksonlyfromtheUSBstickitwasoriginallyplacedon.
Thismalwareleavesnotracesonthecompromisedsystem.
225ThemalwareisencryptedwiththehardwareIDanddiskpropertiesoftheUSBstick.
Becauseofthis,itis,inprinciple,notreadablewithoutthisUSBstick.
ThefilenamesofthemalwarefilesarealsouniqueperUSBstick.
Thiscomplicatesbothdetectionandinvestigationbyinvestigators.
TheCherryPickermalware,specificallydesignedforPOSsystems,isequippedwithspecificcleaneroperations.
Thatmakesitpossibletoerasealltracesofthemalwareoncethepurposeofthemalware-collectingcardinformation-isachieved.
226Inadditiontothissubtleapproach,thereisalsomalwarethatchooses,upondetection,todeletetheentireharddriveandtherebyerasealltraces.
227AnalternativestrategyisusedbythecreatorsoftheDuqu2.
0malware.
Here,detectionandleavingtracesispreventedbyhavingthemalwarebeexclusivelypresentintheworkingmemoryofthesystemandnothavingitmakeanychangestothesystem.
228Commonfirmwareisaninterestingtargetforattacks,suchasthefirmwareofrouters.
Targetedattacksonfirmwareof(peripheral)equipmentnowseemtobeusedmainlybysophisticatedcriminalpartiesandstateactors.
Itisimportantfortheattackerherethattheinfectionisnotdetectedandremainsintactafterareinstallation.
Moreover,itisquiteconceivablethatthistechnologywillalsobecomeavailabletoothergroups.
229Figure9DurationofDDoSattacks0-15min15-60min1-4hours>4hoursQ42014Q12015Q22015Q32015Q4201580%70%60%50%40%30%20%10%0Source:Nationalanti-DDoSWash(NaWaS)oftheNationalManagementOrganisationofInternetProviders(NBIP).
4444AbuseofbonafideservicesremainspopularInthepreviousCSAN,abuseofservicessuchasDropbox,PinterestandGoogleDocsformaliciouspurposeshadalreadybeenbroughttoattention.
Theabuseoftheseservicesisattractive,becausetraffictoandfromtheservicesisoftensentencryptedbydefault.
Also,communicationwiththeservicesisnotinitselfsuspicious.
Companiesandorganisationsoftendonotblockthistrafficinadvance.
Thiswasalsoobservedduringthepastperiod.
Advancedcriminalpartiesappeartousethistechnique.
Forinstance,HAMERTOSS,thebackdoorofagroupthatiscalledAPT29,usesTwittertomimiclegitimatetrafficandcommand-and-control(C2)tocontrolthemalware.
231Also,TwitterDirectMessagescanbeusedtocontrolsystemsinfectedwithmalware.
232TwoAndroidmalwarefamilies(OpFakeandMarry)usedFacebookasC2infrastructure.
233Inaddition,theallegedChinesegroupadmin@338usedDropboxaccountsasC2infrastructure234andtheDridexmalwareexploitedPastebinforthestorageofbogusVBScriptthatitusesintheattackprocess.
235Theuseofbonafideservicesoffersattackerstheadvantagethatuserscommunicatewithatrusteddomainname.
Forinstance,phishingattackswerecarriedoutonGoogleaccountsviaGoogleDrive.
ThathappenedbycopyingaGoogleloginpageontoaGoogleDrivepage.
236Thisway,victimscommunicatedwitharealGoogleaddress(googledrive.
com)anddidnotsuspectanyphishing.
Also,technicalmeasurescanbecircumventedinthisway.
Forinstance,aresearchercircumventedrestrictionsintheNoscriptFirefoxextensionbyhostingtheattackcodeintheGoogleCloud.
Thegoogleapis.
comdomainiswhite-listedbydefaultinthisextension.
237Moreover,attackersalsomisusewell-knowncertificateauthoritiestolegitimatelyobtainacertificatefortheirbogusservices,forexampleforaphishingwebsite.
238239Forinstance,certificatesfromtheLet'sEncryptinitiative,whichaimtosecureasmanydataconnectionsaspossible,canevenbeusedtosecureaphishingwebsite.
240Finally,theTURLAgroupmakesclandestineuseofsatellitecommunicationsinordertomaskthelocationofC2serversandtoexfiltratedata.
Agreatdealofsatellitecommunicationissentunencryptedandmaybereceivedinaverylargearea.
Thisallowsamaliciouspersontohitcharideonthissignalsoastoreceivedatawithoutitbeingpossibletoestablishthepreciselocationofthemaliciousreceiver.
ThismakesitveryhardtomapouttheC2infrastructureandtofindtheperpetrators.
241Investigationservicesarguethatthecurrentspecialinvestigativepowers,suchastheinterceptionandrecordingofcommunications,arebarelyeffectiveanymorethroughencryption.
Forthatreason,theComputerCrimeIIIbillprovidesforthegrantingofthepowertoremotelyinfiltrateautomatedworksundercertainconditions,ifacrimeiscommitted.
AttackvectorsMalvertisingremainsathreattointernetusersCriminalscontinuetousemaliciousads(malvertising)toinfectinternetuserswithmalware.
Manywebsitesuseadvertisingnetworksasagentsforbringingtogethersupplyanddemandofadvertisersandwebsites,aswellastheactualdisplayofthead.
Duetothewiderangeoftheseadvertisingnetworks,theyformaninterestingchannelforcriminalstospreadmalware.
Userswithnon-updatedsoftwareareespeciallytargeted.
Advertisingnetworkshaveoftenbeenaffectedbymaliciousadvertisements.
Asaresult,websiteswithaglobalaudiencesendmalwaretotheirvisitors.
242Together,thesewebsiteshavemorethantwobillionvisitorspermonthandprovidealargeattacksurface.
PopularDutchwebsitesarealsoaffected.
243MalwareinfectionsoffirmwareFirmwareissoftwarethatisloadedintothememoryofspecifichardwareanddrivesitdirectly,similartoanoperatingsystemforcomputers.
Thisequipment,thehardwareandthefirmwareloadedontoit,arecloselyconnectedwitheachother.
Oneexampleisfirmwareforharddrivesthatactuallytakesoverthesavingofdataontothemagneticdisk.
Otherexamplesincludefirmwareforvideocards,smartphones,smartwatches,smartTVs,routers,IPcamerasandmice.
Inthepast,firmwarecouldoftenonlybeloadedoncebythemanufacturerduringproduction.
Nowadays,itisoftenpossibletoupdatefirmwareatalatermoment.
Equipmentnowhasincreasinglymorepowerfulprocessorsandlargeamountsofmemory,makingitmorepossiblefor(partsof)full-fledgedoperatingsystems,Linuxinparticular,tobeusedasabasisforthefirmware.
Thisblursthedistinctionbetweenoperatingsystemandfirmwareandknownvulnerabilitiesintheoperatingsystemcanalsoaffectmanyothertypesofdevices,aswellascomputers.
Inthisway,malwarethatwasoriginallywrittenforordinarycomputerscanalsoinfectthoseothertypesofdevices.
Theuseroftendoesnotexpectthis.
Thiscouldinclude,forexample,cars230orindustrialsystems.
4545Viareal-time-biddingadvertisingnetworks,adsareshowntospecificusers(groups).
244Thismethodwasalsousedduringthepreviousreportingperiod.
Additionaltechniquesweredeployed,suchasfingerprinting.
245Withfingerprinting,thesystemofthepossiblevictimisidentifiedfirst.
Malware(oraspecificformthereof)isofferedonlyafteranassessment.
Inthisway,malwareisonlyofferedtovulnerablesystems.
Inaddition,forexample,malwareisonlysuppliedtocomputerswithanIPaddressofaninternetserviceproviderforconsumers.
Also,thenetworkpacketscanbeusedtodeterminewhichoperatingsystemthepossiblevictimuses.
246Allofthesetechniquestogethermakeitmorecostefficientfortheattackerstocarryoutsuchacampaign.
Inaddition,itisbecomingmoredifficultforresearchersandadvertisingnetworkstotracecurrentmalwarecampaigns.
Forexample,themalwareisnotofferedtoLinuxmachinesanddecoysystems,so-calledhoneypots.
Protectionagainstmalvertisingisnoteasy.
Spreadingmalwareviatheadsispossiblebecauseadsarepurchasedbylargewebsitesfromadvertisingnetworks.
Thesenetworksselltheadspaceonareal-timebasisand,becauseofthedesignoftheadvertisingsystem,cannotchecktheadsformalware.
Whenmalwarefindsitswayintotheads,systemsthatarenotfullyupdatedcanbeinfected.
Keepingsystemsuptodateis,therefore,onemethodofcombatinginfectionbymalvertising.
Anothermeasureistouseadblockers.
Thissoftwareblockstheadsasawhole.
Thishasotherdisadvantages:adsarenolongershowntousers,whichaffectstherevenuemodelofwebsites.
JavaScriptusedformaliciouspurposesPopularJavascriptlibrariesofferalotofpotentialforattackers.
AllmodernandpopularwebbrowserssupportJavaScript.
Thiscreatesalargeattacksurfacewithmanyusers.
Atthesametime,itisapowerfultooltoaddrichfunctionalitiestowebsites.
SimplyturningoffJavaScriptsupportis,therefore,nosolution.
CloudflaredescribedanexamplewhereJavascriptlibraries247andJavaScriptinadvertisingnetworks248wereusedforimplementingDDoSattacks.
Thepastperiod,weseethatJavaScriptcanbeusedformaliciouspurposesinseveralotherways.
Forinstance,criminalstriedtoinfectusers'systemsthroughJavaScripte-mailattachments.
249OnGithub,afullyJavaScript-basedbotappearedthatcanbecontrolledviaTwitter.
250Inaddition,itturnsoutthatcriminalsalsouseJavaScriptasdroppers.
251JavaScriptisalsousedtofindtheidentityofChineseTorandVPNusers.
252Itisalsousedtoattacktherouterofusersand,forexample,tochangetheDNSsettings.
Asaresult,trafficisinterceptedandvictimsaresenttowardsphishingsites.
253UseofstolenkeymaterialOneobjectiveofdigitalcertificatesistohelptheenduserverifytheauthenticityofasourceorservice.
Whenaserviceusesatrustedcertificateinthecorrectmanner,theapplicationdoesnotgiveanywarningstotheenduser:afterall,theconnectionistrusted.
Ifthecertificateforthewebsiteiscorrectandhasbeenissuedbyatrustedauthority,itismorelikelytocreateconfidenceinusers,suchasagreenaddressbarinthebrowser.
Criminalstrytoexploitthistrustincertificatesbymakingtheirmaliciousactivitieslookextremelytrustworthy.
Insomecases,thecriminalsmakeuseofstolenkeymaterialforthedigitalsigningofmalware,forexample.
254255256Allegedly,criminalssellsuchkeysonthedarkwebforpricesbetween600and900dollars.
258IncreaseinmisuseofopensourcesandsocialmediaInthepastreportingperiod,openinformationwasmisusedmoreoften.
Thisinvolvesinformationfrompreviousincidentsanddoxing.
Thiswasthecase,forexample,whenthedataof1,400Americansoldiersandofficialswasplacedonline.
258Criminalsarenotonlyinterestedininformationonsocialmedia.
Theyalsowanttoexploitthesemedia.
Forinstance,theMoosewormfocusedonhomeroutersandotherrouterstobreakintocommunicationwithsocialnetworks.
Inthisway,likes,viewsandfollowersaregeneratedforaccountsonthesenetworks.
259Thereis,possibly,moneytobeearnedinthisway.
PhishingandspearphishingremainpopularPhishingcampaignsremainapopulartoolforstealingdataofvictimsorinfectingsystemswithmalware.
Phishingandspearphishinge-mailsaregettingbetterandbetterandevermoreconvincing.
Forinstance,theyusestolennameandaddressinformationtosendpersonalisedphishinge-mails.
Forreceivers,phishinge-mailisoftennolongerdistinguishablefromlegitimatee-mailfromanorganisation.
Thenamesandlogosofmanywell-knownlargeDutchcompaniesareexploitedtomisleadusers.
260Forreceivers,phishinge-mailisoftennolongerdistinguishablefromlegitimatee-mailfromanorganisation.
Thenamesandlogosofmanywell-knownlargeDutchcompaniesareexploitedtomisleadusers.
261Also,intermsoftone,thereisasimilaritywiththegeneralcommunicationoftherelevantcompanyinthegivenperiod.
262Insomecases,thecommunicationstyleofthecompanyduringthepresentationofquarterlyresultswasanalysedbycriminalsandcopiedtoproducethemostrealisticphishinge-mail.
Themomentofthepresentationofthesefigureswas,moreover,seizedbythecriminalstocarryouttheirphishingcampaign.
4646ConclusionandlookingaheadRansomwarecontinuestodevelopandremainsaninterestingtoolforfinancialgain.
Also,itisbecomingmoreandmorefocused.
Forinstance,thereisfilteringoftheoperatingsystemusersworkwith,aswellastheirlocation,IPaddressandsoftwareversions.
Inthisway,actorsalsotrytoavoiddetectionbyinformationsecurityresearchers.
Theamountofmalwareonmobiledevicesisincreasingsharply.
Itisexpectedthatthistrendwillcontinue.
Mobiledevicesarebecomingincreasinglyimportantineverydaylifeandareusedtocarryoutanincreasingnumberoffinancialandotheractivities.
Thismakesthemincreasinglyinterestingtargets.
Othereverydaydevicesmay,infuture,alsoserveasattackvectorsfor,forexample,ransomware.
Actorstrytoinfecttrustedsoftwaresources,suchasappstores.
Thisallowsthemtospreadmalwareortogainunauthorisedaccesstothesystemthathasbeenaffectedbyit.
Theintegrityoftheentireproductchainneedstobemonitoredinordertopreservetheintegrityofsoftwareandproductsandtopreventinfections.
Malwarecanbehiddenincreasinglybetterandisnowofferedinamorefocusedmannerinordertoprevent(early)detectionandkeepafootholdinthesystem.
Asaresult,actorsremainundertheradarasmuchaspossible.
Theinvestmentstoexploitvulnerabilitiesin,forexample,thefirmwareofperipheralandotherequipmentcurrentlystillseemhigh.
Asaresult,itisnotlikelythatthereislarge-scaleexploitation.
However,itdoesprovideopportunitiesforhighlytargetedattacksagainstvaluabletargets.
Malvertisingthroughadvertisingnetworksremainsaneffectivemethodfordisseminatingmalwareusingexploitkits.
Inthepastperiod,thisalsoaffectedpopularDutchwebsites.
Becausethemethodissoattractivetoattackers,itisexpectedthatthismethodofattackwillcontinuetobeusedinthefuture.
NewamplificationmethodswillcontinuetofurtherincreasetheeffectivenessofDDoSattacks.
Inviewofthelargenumberofservicesandprotocolstobeexploited,itisexpectedthatthistrendwillalsocontinueinthefuture.
ThethresholdforperformingDDoSattacksremainslow,sothat,forexample,youngpeopleusethemagainstschools.
Finally,JavaScriptcontinuestobeusedformaliciouspurposes.
Foritissupportedbyallmodernandcommonbrowsersand,moreover,runsontheuser'ssystem.
JavaScriptthusoffersthepossibilitytousetheuser'ssystemdirectlyfor,forexample,aDDoSattack.
Italsoofferstheopportunitytoexploretheuser'ssystembeforeanyrealmaliciouscodeissent.
ItisexpectedthatthenumberofmethodsforwhichJavaScriptcanbeemployedformaliciouspurposeswillincrease.
181https://www.
politie.
nl/nieuws/2015/september/16/11-cybercriminelen-aangehouden.
html,consultedon5July2016.
182Source:police.
RegistrationsintheperiodfromMay2015throughApril2016.
183http://researchcenter.
paloaltonetworks.
com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/.

FortheMac,therewerealreadyransomwareversionsthatexclusivelyblockedthebrowser,nottheentiresystemitself.
Throughscams,theythentriedtogetmoney.
https://blog.
malwarebytes.
org/exploits-2/2013/07/qa-about-the-latest-html-ransomware-affecting-mac-os-x-users/.

184Source:policeandhttp://www.
welivesecurity.
com/wp-content/uploads/2016/02/Rise_of_Android_Ransomware.
pdf,consultedon5July2016.
185http://www.
symantec.
com/connect/blogs/dawn-ransomwear-how-ransomware-could-move-wearable-devices,consultedon5July2016.
186https://securityledger.
com/2015/11/ransomware-works-on-smart-tvs-too/,consultedon5July2016.
187http://www.
cio.
com/article/3052553/server-software-poses-soft-target-for-ransomware.
html#tk.
rss_security,consultedon5July2016.
SeealsotheRansomweb,identifiedinCSAN2015,whichencryptsthedatabasefromacompromisedwebserver.
https://www.
htbridge.
com/blog/ransomweb_emer-ging_website_threat.
html,consultedon5July2016.
188http://blog.
talosintel.
com/2016/04/jboss-backdoor.
html,http://blog.
talosintel.
com/2016/03/samsam-ransomware.
html,consultedon5July2016.
189Source:police.
190https://blogs.
technet.
microsoft.
com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/,consultedon5July2016.
191https://www.
secureworldexpo.
com/new-ransomware-threatens-publish-personal-information,consultedon5July2016.
192http://blog.
linuxmint.
com/p=2994,consultedon5July2016.
193http://researchcenter.
paloaltonetworks.
com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/,consultedon5July2016.
194http://www.
computerworld.
com/article/3044728/security/cyberespionage-groups-are-stealing-digital-certificates-to-sign-malware.
html,consultedon5July2016.
195https://blog.
malwarebytes.
org/mac/2015/09/xcodeghost-malware-infiltrates-app-store/,consultedon5July2016.
http://researchcenter.
paloaltonet-works.
com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/,consultedon5July2016.
196http://researchcenter.
paloaltonetworks.
com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-milli-ons-of-users/,consultedon5July2016.
Notes4747197http://www.
rtlz.
nl/tech/36000-nederlanders-downloadden-malware-app-app-store,consultedon5July2016.
198https://www.
sophos.
com/en-us/press-office/press-releases/2006/10/ipod-ships-with-virus.
aspx,https://www.
sophos.
com/fr-fr/press-office/press-releases/2007/01/tomtom.
aspx,consultedon5July2016.
199https://public.
gdatasoftware.
com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_US.
pdf,http://www.
ibtimes.
co.
uk/amazon-selling-least-30-brands-cheap-chinese-android-tablets-infected-cloudsota-malware-1528442,consultedon5July2016.
200Source:police.
201https://www.
theiphonewiki.
com/wiki/Malware_for_iOS,https://blog.
fortinet.
com/post/ios-malware-does-exist,consultedon5July2016.
202https://www.
fireeye.
com/blog/threat-research/2015/11/ibackdoor_high-risk.
html,consultedon5July2016.
203http://www.
theverge.
com/2016/3/31/11336542/apple-corporate-iphone-security-sidestepper-attack-malware,consultedon5July2016.
204http://researchcenter.
paloaltonetworks.
com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/,consultedon5July2016.
205https://securityintelligence.
com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/,consultedon5July2016.
206https://tweakers.
net/nieuws/107138/stroomstoring-in-oekraine-werd-veroorzaakt-door-gerichte-inzet-malware.
html207https://github.
com/reverse-shell/routersploit,consultedon5July2016.
208https://www2.
trustwave.
com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.
pdf209http://www.
wired.
com/2015/04/therealdeal-zero-day-exploits/,consultedon5July2016.
210http://betanews.
com/2015/11/20/zerodium-reveals-price-list-for-zero-day-exploits/,consultedon5July2016.
211https://www.
symantec.
com/content/dam/symantec/docs/reports/istr-21-2016-en.
pdf212https://www.
symantec.
com/content/dam/symantec/docs/reports/istr-21-2016-en.
pdf213https://www.
security.
nl/posting/460316/Java-backdoor+besmet+440_000+computers+wereldwijd,consultedon5July2016.
214https://www.
secureworks.
com/resources/rp-2016-underground-hacker-marketplace-report,consultedon5July2016.
215SeealsoCSAN2015.
216https://blogs.
akamai.
com/2015/10/netbios-rpc-portmap-and-sentinel-reflection-ddos-attacks.
html,consultedon5July2016.
217http://blog.
level3.
com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/,consultedon5July2016.
218https://www.
stateoftheinternet.
com/downloads/pdfs/2016-state-of-the-internet-threat-advisory-dnssec-ddos-amplification-attacks.
pdf219http://researchrepository.
napier.
ac.
uk/8746/,consultedon5July2016.
220http://arstechnica.
com/security/2015/08/how-bittorrent-could-let-lone-ddos-attackers-bring-down-big-sites/,consultedon5July2016.
221https://blogs.
akamai.
com/2015/07/ripv1-reflection-ddos-making-a-comeback.
html,consultedon5July2016.
222http://www.
computerworld.
com/article/2921559/malware-vulnerabilities/malware-infected-home-routers-used-to-launch-ddos-attacks.
html,http://www.
computerworld.
com/article/2996079/internet-of-things/attackers-hijack-cctv-cameras-to-launch-ddos-attacks.
html,consultedon5July2016.
223https://www.
arbornetworks.
com/images/documents/WISR2016_EN_Web.
pdf224https://www.
akamai.
com/us/en/multimedia/documents/state-of-the-internet/2015-q3-cloud-security-report.
pdf225http://www.
welivesecurity.
com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/,consultedon5July2016.
226https://www.
trustwave.
com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/,consultedon5July2016.
227http://blogs.
cisco.
com/security/talos/rombertik,consultedon5July2016.
228https://cdn.
securelist.
com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.
pdf229Virustotal.
com,awebsitethatanalysesfilesinordertodetectwhetheritismalware,has,since2016,alsoofferedtheabilitytomonitorfirmware.
http://blog.
virustotal.
com/2016/01/putting-spotlight-on-firmware-malware_27.
html.
230http://money.
cnn.
com/2015/08/06/technology/tesla-hack/index.
html,consultedon5July2016.
231https://www.
fireeye.
com/blog/threat-research/2015/07/hammertoss_stealthy.
html,consultedon5July2016.
232https://github.
com/PaulSec/twittor,consultedon5July2016.
233http://news.
softpedia.
com/news/two-mobile-banking-trojans-used-facebook-parse-as-c-c-server-497597.
shtml,consultedon5July2016.
234http://news.
softpedia.
com/news/malware-that-hides-c-c-server-on-dropbox-detected-in-the-wild-496951.
shtml,consultedon5July2016.
235https://blog.
gdatasoftware.
com/2015/06/24285-new-dridex-infection-vector-identified,consultedon5July2016.
236https://www.
elastica.
net/2015/07/elastica-cloud-threat-labs-discovered-latest-google-drive-phishing-campaign/,consultedon5July2016.
237http://labs.
detectify.
com/2015/06/30/using-google-cloud-to-bypass-noscript/,consultedon5July2016.
238http://news.
netcraft.
com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.
html,consultedon5July2016.
239http://news.
netcraft.
com/archives/2015/10/13/fraudsters-use-paypal-office-com-ov-certificate-for-phishing.
html,consultedon5July2016.
240http://www.
infoworld.
com/article/3019926/security/cyber-criminals-abusing-free-lets-encrypt-certificates.
html,consultedon5July2016.
241https://securelist.
com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/,consultedon5July2016.
242https://www.
security.
nl/posting/464560/Advertenties+op+populaire+websites+verspreiden+ransomware,consultedon5July2016.
243https://blog.
fox-it.
com/2016/04/11/large-malvertising-campaign-hits-popular-dutch-websites/,consultedon5July2016.
244SeealsoCSAN2015.
245https://blog.
malwarebytes.
org/threat-analysis/2016/03/ofp/,consultedon5July2016.
4848246http://www.
pcworld.
com/article/3030419/security/the-neutrino-exploit-kit-has-a-new-way-to-detect-security-researchers.
html,consultedon5July2016.
247https://blog.
cloudflare.
com/an-introduction-to-javascript-based-ddos/,consultedon5July2016.
248https://blog.
cloudflare.
com/mobile-ad-networks-as-ddos-vectors/,consultedon5July2016.
249https://www.
trustwave.
com/Resources/SpiderLabs-Blog/Cryptowall-and-phishing-delivered-through-JavaScript-Attachments/,https://blogs.
technet.
microsoft.
com/mmpc/2016/04/18/javascript-toting-spam-emails-what-should-you-know-and-how-to-avoid-them/,consultedon5July2016.
250https://github.
com/Plazmaz/JSBN,consultedon5July2016.
251http://labs.
bromium.
com/2015/06/12/oh-look-javascript-droppers/,consultedon5July2016.
252https://www.
alienvault.
com/open-threat-exchange/blog/watering-holes-exploiting-jsonp-hijacking-to-track-users-in-china,consultedon5July2016.
253http://blog.
trendmicro.
com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home-routers/,consultedon5July2016.
.
254http://www.
theregister.
co.
uk/2015/06/15/duqu2_stolen_foxconn_cert/,consultedon5July2016.
255http://research.
zscaler.
com/2016/01/yet-another-signed-malware-spymel.
html,consultedon5July2016.
256https://securityintelligence.
com/certificates-as-a-service-code-signing-certs-become-popular-cybercrime-commodity/,consultedon5July2016.
257http://www.
theregister.
co.
uk/2015/11/04/code_signing_malware/,consultedon5July2016.
258http://www.
theguardian.
com/world/2015/aug/13/isis-hacking-division-releases-details-of-1400-americans-and-urges-attacks,consultedon5July2016.
259http://www.
welivesecurity.
com/2015/05/26/dissecting-linuxmoose/,consultedon5July2016.
260http://www.
bbc.
co.
uk/news/technology-35996408,consultedon5July2016.
261Seeforarecentoverviewhttps://www.
fraudehelpdesk.
nl/sub-vragen/phishingmails/,consultedon5July2016.
262Source:interviewswithvarioussectors.
49495050Securityawarenessamonguserscannotkeepupwiththedevelopmentofsocialengineering51514Resilience:VulnerabilitiesVulnerabilitiesinsoftwarerepresenttheAchilles'heelofdigitalsecurity.
Keepingallsystemsuptodateisachallengeforbothorganisationsandhomeusers.
Atthesametime,ITapplicationscontinuetogrowandsoftwarevulnera-bilitieshaveanimpactonthephysicalsafetyofusersandpublicspaces,forexamplewithvulnerabilitiesinthesoftwareincars.
AvulnerabilityisapropertyofIT,anorganisationorauserthatcanbeabusedbyactorstoachievetheirgoalsorwhichcanleadtoadisruptionthroughanaturalortechnicalevent.
Thischapterdealswiththedevelopmentsinthefieldofvulnerabilities.
OrganisationaldevelopmentsLackofaccountabilityofthechainmakesITvulnerableThesoftwareindustryseemstobedevelopingmoreandmorelikeanassemblyindustry263with,asaresult,muchre-useofexistingcomponents.
Justasinthechainofaircraftconstruction,forexample,itisdesirabletohaveanumberofthingsthatcanbepreciselyverified:whereapartcomesfrom,whetheritisanoriginalpart(withoutmodifications),wherethepartisusedandwhatthestateofrepairis.
Duringthereportingperiod,therehavebeenseveralincidentswherethischainappearedvulnerable.
AchangeintheNPMJavaScriptLibrary(whichisusedbymanywebapplications)deletedfunctionalitythatmanyoftheseapplicationsweredependenton.
Thisledthoseapplicationstosuddenlystopworking.
264InAugust2015,vulnerabilitieswerediscoveredinpre-installedsoftwareonLenovoproducts.
265LenovomadeuseofcustomfirmwarewhichprovidedacleanWindowsinstallationwithLenovotools.
Afterthediscoveryofavulnerability,Lenovodecidedtoremovethismechanism.
D-Link,aTaiwanesemanufacturer,accidentallyleakedacode-signingkeyonline.
ThisenabledmaliciouspersonstoprovidesoftwarewithalegitimateD-Linksignature.
266ItwasalsorevealedthatcustomfirmwarewithabackdoorforanumberofCiscorouterswasincirculation.
267Juniperalsoannoun-cedthataninternalauditrevealedtwoseriousproblemsinScreenOS.
Theseproblemsweresaidtohavebeenintroducedbyan"unauthorisedcode"inScreenOSwhichthecompanywasnotawareof268Networkequipmentfromthesemanufacturersisusedalmosteverywhereintheworld;attackers,therefore,havethepotentialtocauseagreatdealofdamage.
SecurityisnotacorecompetenceofsoftwaredevelopersSeniorsecondaryvocationaleducationcoursesandhighereducationdegreeprogrammesinsoftwaredevelopmentpaylittleattentiontosoftwaresecurity.
269Networksecurityandplatformsecurityarematureprofessionalcompetences;ITspecialistswhoaretrainedtobecomesoftwaredevelopersareassumedtohaveabasicknowledgeoftheseformsofsecurity.
Softwaresecurity,ontheotherhand,remainsasubjectconfinedtouniversityeducation,specificprogrammesorelectivesthataretakenonlybyITstudentsiftheyareinterestedinit.
Becausethisisaglobalphenomenon,thereisnogenerallyacceptedstandardthatmotivatesdeveloperstopayattentiontoit.
Developmentorganisationsconcentrateprimarilyonfunctionalityandspeed.
Thisimpassemeansthatsoftware,uponcompletion,containsmanyvulnerabilitiesthatcanonlybedetectedandremediedafterthefact.
5252ConnectivityofindustrialcontrolsystemsisincreasingIndustrialcontrolsystems(ICS)270aremoreoftenconnectedtoITnetworksandthus(directlyorindirectly)totheinternet.
ITnetworks,however,oftenhaveadifferent,usuallylower,confidencelevelwithassociatedsecuritymeasuresthanthelevelthathasbeensetforthelinkedICS.
Thiscanleadtosituationsinwhichthesesystemsarevulnerabletoattacks.
KeepingalldevicesandsoftwareituptodateisachallengeManydatabreachesatcompaniesarepossibleduetovulnerabili-tiesthathavebeenknownformorethanayearbuthavenotyetbeenremediedbytheaffectedorganisation.
271Manyorganisations,therefore,investinaproperupdatepolicy,althoughsomearestilllaggingbehind.
ToupdatesoftwareonworkstationPCsandservers,developersofoperatingsystemsnowofferanincreasingnumberofpossibilities.
272273Manyorganisationsuselegacysystems,outdatedsystemsforwhichnoupdatesareissued.
Itisnotalwayspossibletomodernisethesesystemsortosetupaseparatenetworkforthem.
Asaresult,theyremainvulnerable.
274Devicesotherthancomputersarealsonotalwaysequippedwithasimpleupdatemechanism.
Organisationswhichallowemployees,throughabring-your-own-devicepolicy,tousetheirownsmartphonesandtabletstoaccesscorporatenetworksandinformation,cannotcheckwhetherusersinstallupdatesonthose(personal)devices.
Thiscomplicatesthecontrolofvulnerabilities.
VulnerabilitytoadvancedthreatsisunknownDuringinvestigations,ithasbeenestablishedbytheintelligenceservicesthattheprotectionmeasuresofmanycompaniesconsistsolelyoftheuseofcommercialanti-virusproducts.
Manycompa-niesdonotrealisethatattacksbysophisticatedthreats,suchasstateactors,gobeyondtheeffortsofalreadyknownmalware.
Thesestateactorscommitfrequentattacksinwhichtheydonotusefilesthataremaliciousinthemselves,275but,throughscans,theseactorsfindvulnerabilitiesinsystemswhicharethenexploited.
Anothertrendisthatforeignactorsareincreasinglyfocusingonsocialnetworksorthehomeenvironmentoftheirtargets.
Wheretheypreviouslyusedconventionalmethodsfor,forexample,eavesdroppingandtracking,nowforeignactorsaremorefocusedontargetingdigitaltools.
Inrecentyears,therehavebeeninvestmentsindetectionwithingovernmentandcorporatenetworks,forexamplewiththeNationalDetectionNetwork(NDN).
Intelligenceserviceshaveobservedthat,partlybecauseofthis,attackershavestartedfocussingonnetworksthatarelesswell-protected,suchashomeenvironments.
Inparticular,theinfectionofmobiledevicesispopular;thisprovidesaccesstovariousapplications,butthephoneitselfcanalsoactasaremotecontrollablemicrophoneorcamera.
Inintergovernmentalorganisations,severalseniorofficialshavebeenvictimsofsuchinfections.
276High-publicityvulnerabilitiesarecommonplaceThepreviouslyidentifiedtrendofpublicitycampaignssurroundingtechnicalvulnerabilities277iscontinuing.
278Researchersestablishabalancebetweencreatingsufficientawarenessofaseriousvulnerability,ontheonehand,andthedangerofexaggeratinganeverydayvulnerability,ontheotherhand.
Theexaggerationofvulnerabilitiescanleadtothe"CryWolf"effect.
279Duetoexcessemptywarnings,theattentioncanwaneandoneisnolongeralertwhensomethingseriousisgoingon.
Badlock(seebox)seemstohavebroughtthisrisktotheattentionofabroaderpublic.
Theannoyancethathasarisenfromthismaypossiblybeareasontoreconsiderthemarketingstrategythatsomesecurityresearchersapply.
BadlockturnsoutnottobetoobadOn23March2016,theBadlockvulnerabilitywasannouncedpriortopublicationonApril12.
280Thevulnerabilitywasgivenaname,logoandwebsite,butstillnodetailswerepresentedonthenatureandseverityofthevulnerability.
ItwasonlymentionedthatthevulnerabilitywasinSMB,aprotocolto,amongotherthings,sharefilesoveralocalnetworkthatwasusedinMicrosoftWindowsandtheopensourcesoftwareSamba.
Systemadministratorstookintoaccountaseriousvulnerabilitythathadtobepatchedimmediatelyatthetimeofpublication.
281Afterthedetailshadbeenmadeknownandupdateshadbeenpublished,securityresearchersweresurprised:therewascriticismonthehypethatwascreatedandthevulnerabilitywasrenamedSadlock.
282Althoughitwasrecognisedthatitwasstillavulnerabi-litythathadtobetakenseriously,283expertsdenouncedtheunnecessarydeploymentofmanpowerandtheattentionthatthisdivertedfromother,moreseriousvulnerabilities.
2845353Developmentsontheusers'sideMobiledevicesareoftennotprovidedwiththelatestupdatesThemarketforsmartphonesandtabletsisextremelyinnovativeandcompetitive.
Manufacturersthereforesometimesreleasenewmodelsseveraltimesayear,inordertostayahead.
Thisleadstoalargenumberofdifferentdeviceswhich,dependingonwhentheywerereleased,runondifferentversionsofoperatingsystems.
Becauseoftheshortperiodduringwhichthesedevicesaresuppliedbymanufacturers,twoyearsisthenorm,manymanufac-turersquicklystoppublishingupdatesforaparticularolderunit.
Usersofolddevicescan,therefore,nolongerinstallupdates.
Softwarevulnerabilitiesarenotrepairedonthosedevices.
Atthesametime,thereisashiftininternetusevisibleamonghomeusers.
Originally,thePCorlaptopwasthepreferreddeviceinahouseholdtouseforinternetaccess,butthatrolehasnowbeentakenoverbytablets,smartphonesandsmartTVs.
285Theimpor-tanceofkeepingtheseotherdevicesuptodateisnow,therefore,evengreater.
AwarenessofuserscannotkeepupwiththedevelopmentofsocialengineeringCybercriminalscontinuetoimprovetheireffortstopersuadeuserstoperformactions.
Usersfallforphishinge-mailsandtelephonescams,althoughthepercentageremainslowinoverallphishingcampaigns.
Whensocialengineeringisspecificallyfocusedonindividualsectors,organisationsorpersons,thispercentageincreasessignificantly.
286Moretargetedinformationisusedtogainmoretrustfromrecipients,sothatonevictimwithinanorganisa-tionisoftensufficientforattackerstoachievetheirgoal.
Awarenesscampaignsforendusersaremainlyeffectivewhentheyareaimedatchangingbehaviourinaspecificsituation.
Forinstance,thecampaignbytheDutchbanks('Hangop,klikweg,beluwbank','Hangup,clickclose,callyourbank)hasbeensuccessful.
Thiscampaignhasdemonstrablycontributedtobehaviourchange.
287Campaignsconductedgenericallyandaimedatrecognisingthreats,suchasphishingandsocialengineeringinabroadsense,arelesseffective.
Inthisreportingperiod,therehasbeenanincreaseintelephonescammerswhotrytoconvincevictimsthattheyhaveaproblemwiththeircomputers.
Theyarethenpersuadedtoinstallsomespecificsoftware.
Thisisoftenmalware,suchasRATs,whichallowsascammertotakecontrolofthecomputer.
Initially,thescammerspretendedtobeMicrosoftemployees.
288Aftermanywarningswereissued,thenamesofotherorganisationswerealsoexploitedforthispurpose.
Inmanycases,theyusedthenamesoftelecomorinternetserviceproviders.
Sometimes,theyalsospokeonbehalfofagovernmentagency.
289InternetofThingsisontheupswingandmakesusersphysicallyvulnerableTheInternetofThingsisnolongerapredictionforthefuture.
Manytypesofapplicationsanddevicesareconnectedtotheinternet.
Manufacturersseeminsufficientlyawareoftherisksinvolvedorlackthetechnicalability.
Thatmeansthatthereareproductsonthemarketthatstillcontainvarioussoftwarevulnerabilities.
Carmanufacturersarenowexperiencingtheproblemofcorrectingsoftwarevulnerabilities.
Inthesummerof2015,thecarsbuiltbyFord,RangeRover,Toyota,Chrysler,TeslaandChevroletprovedtobevulnerable.
290Somemodelscouldnotbeautomaticallyupdated.
Insomecases,costlyrecallswerenecessary.
InSeptember,ChryslerdevelopedanupdateonaUSBstickandsentitbymailtothecarowners.
291Thisandothervulnerabilitiesinon-boardcomputersofcarshaveadirectimpactonroadsafety.
Researchershavedemonstratedthatthebrakesofacarcanbecontrolledremotely.
Thiscanthreatenthelivesoftheoccupantsif,forexample,thishappensonthehighway.
292Manyvulnerabilitiescanbepreventedifsecurityisgivenproperattentioninthesoftwaredevelopmentcycle.
However,itremainsnecessarytohaveagoodandsafeupdatemechanismforfuturevulnerabilities.
Arecallcanbeextremelyexpensive.
SendingaUSBstickwithasoftwareupdateisnoassurancethatalluserswillalsoinstallit.
Inaddition,criminalscouldexploitthis.
Iftheupdateisnotdigitallysignedandisnotverified,acriminalcould,inthesameway,sendamaliciousupdateto(specific)victims.
TechnicaldevelopmentsTLSremainsthesubjectofvulnerabilitiesandmeasuresTransportLayerSecurity(TLS)iswidelyusedinsecureconnectionsontheinternet.
Thebestknownuseofitishttps,toallowwebsitetraffictorunthroughasecureconnection.
Thisubiquitoususemakesit,forsecurityresearchers,aprestigiousactiontodiscovervulnerabilitiesinTLS.
5454ThereportingperiodagainsawseveralnewvulnerabilitiesandattackmethodsinTLSapplications.
TheDrownvulnerability,inparticular,wasratherasensationinMarch2016.
293Withthis,aserverisexploitedthatofferstheobsoleteSSLv2alongsideofTLS.
AlthoughithasbeenrecommendedforyearstodisableSSLv2,severalwebsitesstillappearedtobevulnerabletothisattackmethod.
294ThechancethatattacksbasedonDrownactuallyoccurislimited,however,becauseofthecomplexityofthevulnerability.
AdobeFlashPlayerallowsforplentyofvulnerabilities,whichhave,asyet,notbeenresolvedIn2015,morethan330vulnerabilitieswererepairedinAdobeFlashPlayer,includingeightzero-dayvulnerabilities.
295ThetoptenmostcommonlyusedvulnerabilitiesbyexploitkitsisfullyoccupiedbyFlashPlayer.
296Partlyduetotheadventofhtml5,whichallowsmanyfeaturesthatwereformerlydevelopedinFlashtobecomeavailablewithoutplug-ininmodernbrowsers,itseemsthattheraisond'êtreofFlashPlayerforplaybackofmediaisdecreasing.
TheuseofFlashPlayerforonlinegames,forexampleviaFacebook,however,isstillpopularduetothelackofalternatives.
Onwebsites,theuseofFlashisdecreasing.
297PopularwebsitessuchasFacebook298andYouTube299haveswitchedtohtml5toplayvideos.
Also,AdobeitselfisnolongerfocusingonthefurtherdevelopmentofFlash.
300Itisexpectedthat,whenthemajorbrowsersnolongerofferFlashPlayerasaplug-in,themarketpenetrationratewilldecreasefurther.
Flashwill,however,notbedisappearingyet.
Onlinegamesandlegacysoftware,amongothers,stillrelyonFlash.
MalwareishiddeninvideocardsandfirmwareDetectionofmalwarecanbehinderedbyhavingpartsofthemalwarerunnotintheordinarymemoryofacomputer,butinthefirmwareofperipheralsandcomponentswithinacomputer.
Thetechniquesforthisareadvanced,andhavemainlybeendemon-stratedinthecontextofacademicresearch.
Forinstance,malwarecanbepartiallyloadedintothevideocardofacomputersystem,soastoavoiddetection.
301Inaddition,researchershavemanagedtoinstallmalwareinthefirmwareofanltemodem302,anSSD303andaharddrive304.
Thisallowsamalwareinfectiontopersist,evenafterreinstallationoftheoperatingsystem.
Inthesameway,vulnerabilitiescanbeexploitedinthefirmwareofstandardcomputers,suchastheBIOS305oritssuccessor,UEFI.
306Finally,firmwareofrouterscanbeinfected,sothatthemalwaredoesnotdisappearafterareboot.
307Existingmeasuresareoftenunabletodetectthishiddenmalware.
ReadingoutofmemoryviaJavaScript:rowhammeringResearchershavedevelopedaproof-of-conceptforamethodtouseJavaScripttomanipulatetheDRAMmemoryofacomputer.
308Inordertodothis,therowhammeringattacktechniqueisused,thatallowssandboxingandothersecuritymechanismstobebypassed.
InMay2016,researchersattheVrijeUniversiteitinAmsterdamdemonstrated309thatthistechniquecanbeusedonWindows8.
1andhighertoadaptmemoryblocksinahighlytargetedmanner.
Withthistechniqueitisthenpossibletogainremoteaccesstothesystem.
ConclusionandlookingaheadTheNetherlandsisvulnerabletodigitalattacks.
Itisnotalwayspossibletotracetheoriginandsafetylevelofsoftware.
Softwareisoftenunwittinglyunsafelydeveloped.
Asaresult,theycontainnumerousvulnerabilities,whileanincreasingnumberofdeviceshavesoftwareandareconnectedtotheinternet.
Vulnerabilitiesinoldersoftwarearenotalwaysresolved,whichplaceschallengesonorganisations.
Largepublicitycampaignsforspecificvulnerabilitiescreatemoreawareness,butdivertattentionandgiveadistortedpictureofthesignificantnumberofvulnerabilitiesthatmustbeaddressedannually.
Duetothehypecreatedaroundthesehigh-publicityvulnerabilities,thistrendmayfadeagaininthelongterm.
Endusershavedifficultyrecognisingfakee-mailandotherformsofsocialengineering.
Exploitationofthiswillcontinuetoincreaseandawarenesscampaignsalonecannolongersolvethis.
Additionalmeasuresareneededtoenableuserstoprotectthemselvesagainstattacksthroughsocialengineering.
ThetotalvulnerabilityoftheNetherlandscontinuestoincrease.
Thishastodowiththeincreasingcouplingofsystemstotheinternet,incombinationwiththelimitedpossibilitiesofsoftwaredeveloperstodevelopsafesoftware.
Becausesoftwareispenetra-tingintomoreandmoredevicesaspartoftheInternetofThings,exploitationofsoftwarevulnerabilitieswillhaveanimpactonthephysicalsafetyofusers.
5555263https://vimeo.
com/111043298,consultedon13April2016.
264http://www.
theregister.
co.
uk/2016/03/23/npm_left_pad_chaos/,consultedon26May2016.
265http://www.
theregister.
co.
uk/2015/08/12/lenovo_firmware_nasty/,consultedon13April2016.
266http://www.
theregister.
co.
uk/2015/09/18/d_link_code_signing_key_leak/,consultedon13April2016.
267https://www.
fireeye.
com/blog/threat-research/2015/09/synful_knock_-_acis.
html,consultedon13April2016.
268http://kb.
juniper.
net/InfoCenter/indexpage=content&id=JSA10713&cat=SIRT_1&actp=LIST,consultedon13April2016.
269BasedonanassessmentofcompetencelistsforITcoursesatseniorsecondaryvocationaleducationandhigherprofessionaleducationlevelsintheNetherlands.
270Thetermsalsoinclude:processcontrolsystems,operationaltechnologyandSCADAsystems.
271Verizon2016DataBreachInvestigationsReport,http://www.
verizonenterprise.
com/resources/reports/rp_DBIR_2016_Report_en_xg.
pdf,consultedon28April2016.
272MicrosoftWindowsUpdateforBusiness,https://blogs.
windows.
com/windowsexperience/2015/05/04/announcing-windows-update-for-business/,consultedon11April2016.
273http://www.
itwire.
com/business-it-news/open-source/67655-linux-40-released-includes-live-patching,consultedon11April2016.
274Source:inputtotheNCSCfromcriticalinfrastructureorganisations,seeAppendix2.
275One(non-state)exampleisthethreat"ThePantomPantomPhantomMenace".
276Source:AIVDandMIVD.
277CyberSecurityAssessmentNetherlands2015,https://www.
ncsc.
nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-5/1/CSBN5.
pdf,consultedon12April2016.
278https://www.
security.
nl/posting/465541/Update+voor+ernstig+lek+in+Samba+en+Windows+aangekondigd,consultedon15April2016.
279https://www.
wodc.
nl/onderzoeksdatabase/2056a-cry-wolf.
aspx,consultedon25May2016.
280Badlock:"OnApril12th,2016,acrucialsecuritybuginWindowsandSambawillbedisclosed.
Wecallit:Badlock.
",http://badlock.
org/,consultedon12April2016.
281https://nakedsecurity.
sophos.
com/2016/04/12/badlock-revealed-probably-not-as-bad-as-you-thought/,consultedon15April2016.
282https://sadlock.
org/,consultedon15April2016.
283https://labsblog.
f-secure.
com/2016/04/14/badlock-a-lateral-concern/,consultedon15April2016.
284https://www.
trustwave.
com/Resources/SpiderLabs-Blog/Microsoft-Patch-Tuesday,-April-2016/,consultedon15April2016.
285http://www.
eenvoudigallesonline.
nl/gebruik-van-mobiele-apparaten-in-nederland-de-cijfers/,consultedon18April2016.
286Source:inputtotheNCSCfromthecriticalinfrastructure,seeAppendix2.
287Source:DutchPaymentsAssociation.
288https://www.
fraudehelpdesk.
nl/zoeken/antwoord/antwoord_id=241&zoekopdracht=microsoft,consultedon18April2016.
289https://www.
ncsc.
nl/actueel/nieuwsberichten/wees-alert-op-social-engineering.
html,consultedon18April2016.
290F-SecureThreatReport2015,https://www.
f-secure.
com/documents/996508/1030743/Threat_Report_2015.
pdf,consultedon12April2016.
291http://www.
wired.
com/2015/09/chrysler-gets-flak-patching-hack-via-mailed-usb/,consultedon12April2016.
292http://www.
wired.
com/2015/08/hackers-cut-corvettes-brakes-via-common-car-gadget/,consultedon12April2016.
293https://www.
security.
nl/posting/462943/Ernstige+kwetsbaarheid+in+ssl+raakt+33%25+https-servers,consultedon18April2016.
294http://www.
rtlnieuws.
nl/nieuws/binnenland/beveiliging-tientallen-gemeentesites-lek-persoonsgegevens-niet-veilig,consultedon18April2016.
295CommonVulnerabilitiesandExposures,https://cve.
mitre.
org/,consultedon7January2016.
296NTTGroupGlobalThreatIntelligenceReport,https://www.
solutionary.
com/_assets/pdf/research/2016-gtir.
pdf,consultedon26April2016.
297http://w3techs.
com/technologies/details/cp-flash/all/all,consultedon28April2016.
298https://code.
facebook.
com/posts/159906447698921/why-we-chose-to-move-to-html5-video/,consultedon11April2016.
299http://youtube-eng.
blogspot.
com/2015/01/youtube-now-defaults-to-html5_27.
html,consultedon11April2016.
300WelcomeAdobeAnimateCC,http://blogs.
adobe.
com/animate/welcome-adobe-animate-cc-a-new-era-for-flash-professional/,consultedon11April2016.
301http://www.
securityweek.
com/gpu-malware-not-difficult-detect-intel-security,consultedon5July2016.
302http://www.
fiercecio.
com/story/security-researchers-hide-malware-firmware-lte-modem/2015-08-10,consultedon5July2016.
303https://www.
computable.
nl/artikel/nieuws/security/5408780/250449/hackinggroep-herprogrammeert-ssd-firmware.
html,consultedon5July2016.
304http://arstechnica.
com/information-technology/2015/02/how-hackers-could-attack-hard-drives-to-create-a-pervasive-backdoor/,consultedon5July2016.
305http://www.
wired.
com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/,consultedon5July2016.
306www.
computerworld.
com/article/2948177/malware-vulnerabilities/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.
html,http://www.
securityweek.
com/researchers-find-several-uefi-vulnerabilities,consultedon5July2016.
307http://news.
softpedia.
com/news/cisco-routers-infected-with-boot-resistant-malware-491835.
shtml,consultedon5July2016.
308Rowhammer.
js:ARemoteSoftware-InducedFaultAttackinJavaScript,http://arxiv.
org/pdf/1507.
06955v1.
pdf309http://www.
cs.
vu.
nl/~kaveh/pubs/pdf/dedup-sp16.
pdfNotes5656CentralisationofITservicesmakesdataeasiertosecurebutmorevulnerabletoespionage57575Resilience:MeasuresTheconscioususeoftechnicalandnon-technicalmeasurescreatesastrongerdefensiveposition.
Humanbeingsareanimportantlinkinthesecurity,butawarenessseemstobeatitspeak.
Cybersecurityhasclearlyfounditsplaceontheadministrativeagenda.
Thatcanbeseeninmanynationalandinternationalmeasures.
Thischapterdiscussesmeasuresthatincreasetheresistanceandresilienceofindividuals,organisationsandsocietyandlimithumanandtechnicalvulnerabilities.
Measuresmaybepreventiveorreactiveinnatureandareaimedathumanbeingsoratsystems(technology).
HumanbeingsGrowingconcernsaboutstateactorsAftertherevelationsbySnowdenandtheattackonSonyPictures,anincreasingnumberofpeopleareconcernedaboutattacksbystateactors.
Majorparties,suchasFacebook,Googleandothers,nowwarnusersiftheysuspectthatauserisbeingtargetedbyastateactor.
310InOctober2015,theEuropeanCourtofJusticedeclaredtheSafeHarbourframeworkinvalid.
Thisoccurredafteryearsofprocee-dingsagainstFacebookbyagroupofusersledbytheAustrianMaxSchrems.
TheyarguedthattherevelationsbySnowdenshowedthatpersonaldataofforeignersintheUnitedStateswasinsufficientlyprotected.
ThiswoulddemonstratethattheagreementsintheSafeHarbourframeworkwerenotbeingcompliedwith.
TheSafeHarbourframework,untilthen,formedthebasisformostofthedataexchangesbetweentheEuropeanUnionandtheUnitedStates.
On12July2016,theEuropeanCommissionadoptedtheEU-U.
S.
PrivacyShield.
311ThisagreementbetweentheEUandtheU.
S.
isthesuccessortotheSafeHarbourframeworkandaimstoensureadequateprotectionofpersonaldataofpersonsintheEUthatisstoredintheU.
S.
WithPrivacyShield,theCommissionfulfilstherequirementsoftheEuropeanCourtofJusticethatweredeclaredinvalidintheSafeHarbourframeworkwithrespecttothestorageofpersonaldata.
Examplesoftheserequirementsare:obligationsforcompaniesthatprocessdata,guaranteesconcern-ingaccessbyAmericaninvestigativeservicestopersonaldata,thepossibilityofarbitrationandannualmonitoringoftheoperationofPrivacyShield.
Awareness-raisingcampaignshavevaryingdegreesofeffectInthereportingperiod,therewasagainagreatdealofattentionforvariousawarenesscampaigns:EuropeanCyberSecurityMonth,AlertOnline,'Hangop,klikweg,beluwbank'andSaferInternetDay.
TheVerizonDataBreachInvestigationsReportshowsthatawarenessaloneiscertainlynotenough.
Accordingtoaggregatedresearch,30percentofphishinge-mailsareopened,12percentofpeoplealsoopentheattachment.
Thisalsohappensveryquickly;onaverageareceiverclicksonanattachmentwithinfourminutesafteritissent.
312TherethreatenstobeashortageofcybersecurityprofessionalsThedemandforcybersecurityprofessionalsremainshigh.
TheCyberSecurityCouncil(CSR)signalledthattherethreatenstobeamajorshortageofcybersecurityprofessionals.
TheCSRalsonotedthatmoreattentionshouldbepaidtocybersecurityingeneraleducation.
TheCSRhasadvisedtheStateSecretaryofSecurityandJusticeonthismatter.
3135858TechnologyAlthoughhumanbeingsareoftenconsideredtobetheweakestlinkinthecybersecuritychain,technologyisindispensableforguaranteeingcybersecurity.
Tostaysafe,anawareusermustalsobesupportedbythecorrect,securesoftware.
Thissectiondealswiththemostimportantdevelopmentsinthisareaoverthepastperiod.
Topreventlong-termproblemswithlegacysoftware,MicrosofthasinstigatedadifferentstrategywithWindows10.
UsersofearlierversionsofWindowsautomaticallygetamessagethatWindows10isavailable,freeofcharge.
Inaddition,thedefaultsettingforWindows10isthatupdateswillbeinstalledautomatically.
StatisticsshowthattheadoptionofWindows10wentfasterthaninpreviousversionsofWindows,butWindows7stillremainsbyfarthemostpopular.
316In2015,thereweresomeincidents317318withpre-installedsoftwareonWindowsmachineswhicheavesdroppedon,orevenmodified,traffic.
InDecember2015,Microsoftannouncedthatitwouldblocksoftwarethatusedman-in-the-middletechniquestodisplayads.
319Thismeasurestartedon31March2016.
AdoptionofstandardsisincreasingTheadoptionofDNSSECintheNetherlandsandwithintheCentralGovernmentisstilldisplayingarisingtrend.
InAugust2015,44percentofthe.
nl-domainshadDNSSEC.
WithintheCentralGovernment,thiswasstill28percentinthesummerof2015.
320Sincethelaunchofinternet.
nl,manytestswerecarriedoutintheperiodfromMay2015throughApril2016.
Nearly10,000unique.
nl-domainsweretested.
Ofthese,only12percenthadaperfectscoreontheTLStest.
Ofthe2263tested.
nl-e-mailservers,59percentusedSPF,47percentusedDKIMand18percentusedDMARC.
Only13percentusedallthreemeasures.
Fromconversationswiththevarioussectors,itappearsthatmostcompaniesrecognisethatdigitalsecuritymeasuresareneeded.
Onaverage,thebasictechnicalmeasureshavealsobeentaken.
Itisnotalwaysknownwhetherthesemeasurescouldbeinsufficientagainsttargetedattacks.
321ProtectionagainstmalvertisingbyadblockersandpatchingInanearlierchapter,wealreadydiscussedthefactthatasignificantpartofmalwareinfectionsoccurthroughmalvertising.
TheNetherlandsAuthorityforConsumers&Markets(ACM)haspointedoutthisrisktotheonlineadvertisingindustryintheNetherlands.
TheACMindicatesthat,iftheriskbecomestoogreat,apossiblefutureadvicewouldbetotouseadblockersinordertoprotectendusers.
TaxandCustomsAdministrationTheTaxandCustomsAdministrationhasaSecurityOperationsCenter(SOC).
ThisSOCisresponsibleforthedetectionandinvestigationofvulnerabilitiesintheoperationalinfrastructure,theinterpretationofcyberthreatsandtheadvisingofcounter-measurestoremoveexistingrisks.
Duringdisasters,theSOCactsastheComputerEmergencyResponseTeamoftheTaxandCustomsAdministration.
314Inthereportingperiod:theofficeanddatacentreenvironmentoftheTaxandCustomsAdministration(morethan35,000workstationsand5,600servers)issuedseveralreportsviatheinternet.
Itconcernedabout3,300reportsofviruses,40reportsofhackandcracktoolsandover4,700reportsofstoppingmalicioussoftware;thefirst-lineprotection(firewalls)preventednearlythreebillionattacksandthesecond-lineprotection(intrusionpreventionfacility)preventedmorethan2.
2millionattacks;therewasasignificantincreaseintheamountofincomingspame-mailsduringthesecondhalfof2015.
Thisincreasehascontinuedintothefirsthalfof2016;alargenumberofDDoSattackshavebeenobserved.
Noneoftheseattacksledtounavailabilityofinformationsystems.
Thelargestattackwas16Gbit/sandtookplaceinApril2016.
Therewere97securityincidentsrecordedofwhichfourincidentswereofthehighestpriority.
TheSOCexaminedallthesesecurityincidentsandsolvedthem,togetherwiththerelevantplatformteams;15responsibledisclosurereportsweremade,ofwhich12werevalid.
Allthesereportswereresolved.
315Intotal,theTaxandCustomsAdministrationawardedsixcups.
TwoofthesesecurityincidentsorvulnerabilitiesledtoapossiblebreachoftheintegrityandconfidentialityofthedatamanagedbytheTaxandCustomsAdministration.
Theseincidentswerereportedinaccordancewiththelawconcerningthedatabreachreportingobligation;morethan7,100reportswerereceivedoffalseTaxandCustomsAdministratione-mails.
Duringthisreportingperiod,theTaxandCustomsAdministrationfiledmultiplereportsagainstthesephishingcampaignswiththepolice;incollaborationwiththeNCSCandpolice,32phishingwebsitesweredismantled.
Ofthese,therewerefifteenfalseDigiDwebsites.
5959Inadditiontoadblockers,theupdatingofsystemsalsooffersprotectionagainstmalvertising.
Bogusadsusevulnerabilitiesinsoftwaretoinfectsystems.
Ifsystemsareequippedwiththelatestupdates,bogusadsthatuseknownvulnerabilities,cannolongerinfectthesesystems.
Thelarge-scaleuseofadblockerscanimpacttherevenuemodelofvariouswebsites.
Adblockershavebeenavailablesincetheriseofpop-upadsinthe1990s.
Especiallythemoretechsavvyhomeusers,usedtheseadblockers.
Thus,theyhadvisuallyquieterpagesandwantedtocombattheprivacy-unfriendlybehaviouroftheadvertisingindustry.
Withintheconsultedsectors,asmallnumberofcompaniesarealreadyinstallingadblockersforsecurityreasons.
Foranumberofothercompanies,thiswasnotstandardpractice,certainlynotinthesecuritydepartments.
Theyare,however,stronglyadvisedtoinstalladblockersthemselves.
CentralisationofITservicesmakessafeguardingsimplerbutalsomakesdatamoresusceptibletoespionageOutsourcingofITservices,forexamplebytheuseofcloudservices,isatrendthathasbeenunderwayforsometime.
E-mailisoneexampleofthis.
E-mailis,fororganisationsinsmallandmedi-um-sizedenterprises,complextoself-administer.
Alternativesinthecloudarethenattractive,duetolowcostsandlimitedmanage-ment.
Alargeandexperiencedprovidercanoftenoffere-mailbetterandsaferthanone'sownITManagementdepartment.
Thebelowobservationsonoutsourcingofe-mailalsoapplytomanyotheroutsourcedITservices.
E-mailoutsourcingisincreasinglycommon,bothdirectlywithcloudserviceprovidersandviafullserviceproviders.
Acloudserviceprovidermanagese-mailbutrequiresthedomainnameholdertosethisDNSsettingsinsuchawaythatthee-mailgoestothecloudserviceprovider.
Afull-serviceprovidersellstheservicesofacloudprovider,butalsomanagestheDNSzonefortheclient.
Figure10showshowthegrowthoftwocloudserviceprovidersinafour-monthperiodhasprogressedfor.
nl-domainnames.
322Duringthisperiodthenumberof.
nl-domainnamesremainedalmostidentical.
Thiscreatestheimagethatorganisationsincreasinglyoutsourcetheire-mailtocloudserviceproviders.
Thiscentralisationisconsiderablefor.
nl-domainnames.
Thirtypercentof.
nl-domainnameholdershavee-mailhandledbyoneofthetenmostpopulare-mailhandlers.
323For.
com-domainnames,thiscentralisationisevenstronger:there,for50percentofdomainnames,e-mailishandledbyoneofthetenmostpopulare-mailhandlers.
Becausesmallorganisationsherearecountedinthesamewayaslargeones,thesestatisticsareprobablymostrepresen-tativeofSMEs.
324Figure10Growthofcloudserviceproviders%growthMar'16Apr'16May'16Jun'16Office365GoogleMail1086420Source:OpenINTEL.
6060Newsecuritystandardsfore-mailaremoreeasilyadaptediforganisationsoutsourcetheire-mail.
Fullserviceproviderscan,forexample,introduceSPFinonegoforalltheirclients.
Forthem,theapplicationofthestandardisaone-timeinvestmentandasellingpoint.
Also,cloudserviceprovidersmakeiteasyfortheircusto-merswithready-to-useinstructionsforsettingupstandardssuchasSPF.
Outsourcinge-mailtoacloudserviceprovider,orpossiblythroughafull-serviceprovider,appearstoprovideagreateradoptionofSPF.
InFigure11,weseethatthecustomersofcloudserviceprovidersMicrosoftandGoogleshowasignificantlyhigherSPFapplicationthantherestofthe.
nl-domainnameholders.
Centralisationofe-mailalsohasdisadvantages.
Asearlyasintheannualreportof2015,theAIVDstatedthattheuseofcloudservicesinvolvesanadditionalriskofespionage.
Thisriskalsoappliestofullserviceproviders.
Inaddition,vulnerabilitiesinthesoftwareofcloudserviceprovidersandfull-serviceprovidersimmediatelyhavegreaterconsequencesbecausemorecustomersaredependentonthesecurityoftheservice.
InJanuary2016,tworesearchersfoundavulnerabilityinMicrosoftOffice365.
Thisenabledthemtologintoaccountsofotherorganisations.
325ThisvulnerabilitywasreportedtoMicrosoftandrepairedwithinhours.
Iftheresearchershad,however,keptthevulnerabilityasecret,theycouldhavegottenaccesstoagreatdealofsensitiveinformationinallkindsoforganisations.
MeasuresagainstDDoSattacksDDoSattackshavebecomepartoftheoverallthreat,asalreadydescribed.
Variousmeasurescan,however,preventDDoSattacks,oratleastcombatitseffects.
Bysettinguproutersinnetworksproperly,DDoSattackscanbeprevented.
Thisway,spoofedpacketsareeasilystopped.
333Thesepacketsarethesourceofmanydifferentformsofattacks.
Unfortunately,filteringthisisonlyeffectiveifalmostallnetworkssetitup.
TocountertheadverseeffectsofDDoSattacks,twoinitiativeswerelaunchedinthepastyearintheNetherlands:theTrustedNetworkInitiative(TNI)334andacollaborationofinternetserviceproviders,theDutchContinuityBoard(DCB).
TheaimofbothinitiativesistominimisetheimpactofaDDoSattackonDutchcriticalinfrastructure.
ThisallowsservicestobemadeavailableagaintoDutchusersassoonaspossible.
MostmembersofTNIultimatelydecidedtojoinupwithDCB.
TheDCBprojectwantstobeoperationalbytheendof2016.
Figure11ApplicationofSPFon.
nl-domainnamesOffice365GoogleMailAll.
nldomains10090807060504030Mar'16Apr'16May'16Jun'16%withSPFSource:OpenINTEL.
6161DevelopmentsintheNetherlandsDigitalsecurityisclearlyvisibleontheDutchpolicyagenda.
Anumberofongoinginitiativesbecamemorevisibleinthepastyear,suchasIdensysandMijnOverheid.
ThedevelopmentsaroundIdensys(formerlytheeIDsystem)arenowbeginningtotakeshape.
InJuly2015,theIdensysPrivacyImpactAssessmentwaspublished.
Itincludesanumberofrecommendations.
335Inlate2015,thiswasfurtherdevelopedandseveralpublicandprivateorganisationsstartedwithapilotproject336TheDutchbankshavealsojointlysetupasimilarservice:iDIN.
337Thisallowscustomerstousetheirlog-inmethodatthebanktoidentifythemselveswithotherinstitutions.
Atthismoment,thereisapilotprojectusingthisservicewiththeTaxandCustomsAdministration.
Thegovernmentistryingtocommunicatewithcitizensinanincreasinglydigitalmanner.
Tofacilitatethis,the'MijnOverheid'projecthasbeensetup.
Acentralwebsite,mijnoverheid.
nl,givesaccesstoelectroniccommunicationswithvariousgovernmentagencies.
InNovember2015,thelegalfoundationwaslaidforelectroniccommunicationsfromtheTaxandCustomsAdministrationviathiswebsite.
Anincreasingnumberofgovern-mentagenciesaremembersoftheDigitalMessageBox:inApril2016,already119municipalities,23pensionfundsand28othergovernmentagencies.
TheNationalDetectionNetwork(NDN)was,asearlyas2015,namedasanimportantpartnershipoftheNCSCandotherpartiesintheexchangeofinformationonthreats.
Thepilotprojectsreceivedapositiveevaluationattheendof2015.
Thenetworkwillbefurtherextendedin2016andincludedinthestandardservicesoftheNCSC.
Inthereportingperiod,theDutchenergysectorworkedonariskanalysisofchaindependenciesintheenergysector.
Thisanalysisshowedthevulnerabilityofsystemsthroughthesedependencies.
338InternetStandardsPlatformcallsfortheapplicationofstandardsTheInternetStandardsPlatform,acollaborationbetweentheinternetcommunityandtheDutchGovernment,launchedthewebsiteinternet.
nlinApril2015.
Thiswebsitecheckstoseeifaninternetconnection,e-mailorwebservercomplieswithmoderninternetstandards.
Thewebsiteinternet.
nlcantestaserverfortheconnectionsecurityofbothwebande-mailtraffic.
Moreover,thesitealsoindicatestheextenttowhichthissatisfiesthe'complyorexplain'listoftheStandardisationForum.
Isthereasecondcrypto-warThepublicdebateonencryptionisnotoveryet.
InSeptember2015,theAmericangovernmenttriedtopersuadepubliccompaniestocooperateinthefieldofencryptionanddecryption,soasnottohinderdetection.
326Thiswasinitiallynotwellreceived.
InMarch2016,thediscussionescalated:theFBItried,viaalawsuit,toforceApple'shelptogainaccesstoaphonebelongingtoaUSterrorist.
327AppledidnotagreeandsaidthatthemethodwouldprovideaccesstoalmostalliPhones.
ThatiswhyAppleappealedandthecompanypublishedanopenletter.
328Inthepublicdebate,Applequicklygainedthesupportofmanylargetechnologycompanies.
Ultimately,theFBIdroppedthecasebecauseaccesswasgainedtothetelephoneinadifferentway.
DuringthisdebateintheU.
S.
,WhatsAppswitchedonend-to-endencryptionforallusers.
329Thus,thecontentofthemessagesis,inprinciple,onlyaccessibletothetransmitterandreceivers.
WhatsAppisnotthefirstmessagingappthatoffersthis,butitisthebiggestwithoveronebillionusersworldwide.
TheDutchDataProtectionAuthoritypublishedanadvisoryforphysiotherapistsusingacontactformontheirwebsite.
Ifsensitivedata(citizenservicenumbersormedicaldata)istobefilledin,thentheentirewebsitemustuseTLS.
Similarly,inJune2015theUSgovernmentdecidedtoswitchallgovernmentwebsitesovertohttps.
330Theexplanationindicatesthatwebtraffichasbecomeacentralpartofourlives.
Non-sensitivetrafficdoesnotexistontheinternet.
Therefore,thegovernmentshouldnotdependonthegoodintentionsofnetworkadministrators.
ThelaunchofLet'sEncrypthelpedfurtheradvancetheadoptionofhttpsandencryption.
Thisfreeandaccessiblewebcertificateservicebecamepubliclyavailableinlate2015.
Inthemeantime,morethan2millioncertificateshavealreadybeenissuedbyLet'sEncrypt.
InJanuary,thegovernmentmadeitspositiononencryptionpublic331ItthenbecameclearthattheDutchgovernmentsupportedencryption.
Thegovernmentisalsoagainstlegalmeasureswithrespecttothedevelopment,availabilityanduseofencryptionalgorithms.
InJanuary2016,theFrenchgovernmentfollowedtheDutchpositionandtookthesameposition.
TheDutchgovernmentalsocontributestotheimplementationofencryptionbydonating500,000eurostoencryptionprojects(suchasOpenSSL,LibreSSLandPolarSSL).
3326262Thewebsiteprovedtobeaneffectivemeanstohelppartiesimprovetheiruseofmoderninternetstandards.
Ofallthewebsitesthatweretestedmultipletimesbyvisitorsofinternet.
nl,almostfiftypercentimprovedthescorebetweenthefirstandthemostrecenttest.
InJune2015,newsecurityrequirementsfore-mailtrafficwereadded:inadditiontoDKIM(DomainKeysIdentifiedMail),SPF(SenderProtectionFramework)andDMARC(Domain-basedMessageAuthenticationReportingandConformance)wereaddedtothe'complyorexplain'list.
Thesearerequiredtocreatesafere-mailandcombatspamandphishing.
Forlargerorganisations,itisnoteasytoapplythesestandards;theNCSCfactsheet'Protectdomainnamesfromphishing'339canhelpwiththis.
Theabovemeasureshelptoauthenticatethesenderofe-mails.
Moreisrequiredinordertoensureintegrityandconfidentialityaswell.
Forthis,thetraditionalSTARTTLSisused,whichisalsousedbymorethan90percentofe-mailservers.
Here,STARTTLSisonlyaneffectivemeasureagainstapassive,buggingattacker.
InOctober2015,therefore,thecombinationofSTARTTLSwithDANEwasstandardised.
340Thiscombinationalsoprotectsagainstotherpossibleattacks.
InFebruary2016,itwasalsoproposedtoaddthistothe'complyorexplain'list.
Consumers'AssociationinstitutedpreliminaryreliefproceedingsagainstSamsungIntheNetherlands,theConsumers'Associationstartedthe'Update!
'campaign.
Inthisway,theywanttotakeonAndroidtelephonemanufacturerswhohaveaflawedupdatingpolicy.
Inthefirstaction,theConsumers'AssociationpressedchargesagainstSamsungaboutthis.
TheConsumers'AssociationarguedinpreliminaryreliefproceedingsthatSamsunghas,foratleasttwoyearsafterthepurchase,adutyofcareandmustmakeupdatesavailable.
TheCourtindicatedintheseproceedingsthatitsawnourgentinterestand,therefore,refusedtoinstitutefurtherproceedings.
TheConsumers'AssociationfeelsthatthesituationwithrespecttotheAndroidupdatepolicybyvariousmanufactu-rersisstillworrisome.
341NetherlandsCleanincreasesawarenessaboutbadhostingDutchhostingremainspopularamongprofessionalcriminals.
342Manyhostingprovidersindicatethattheydonothavevisibilitywithrespecttotheactualusersoftheirinfrastructure,becausetheyuseamodelofreselling.
Someoftheirresellersfacilitatecriminalactivitiesbyofferingthemostanonymoushostingpossible,atrelativelyhighprices.
Toraisetheawarenessofhostingprovidersforthemaliciousactivitiesoftheircustomersintheirinfrastructure,TUDelfthascarriedoutmeasurementsofbadhostingintheNetherlandswithintheframeworkoftheNetherlandsCleanproject.
343Themeasurementswerebasedon,amongothers,publicandprivateinformation,suchasfromtheInternetHotlineagainstChildPornographyandtheNationalCentreforInternationalLegalAssistance(LIRC).
Theywerefurthernormalisedaccordingtothesizeofthehostingprovider.
Themeasurementswereusedtomakeanassessmentofthe'badness'ofallDutchhostingproviders.
MInmid-2015,thePublicProsecutionOffice,thepoliceandtheACMhadmeetingswiththetop10badhostingproviders.
Thiswastopointouttheirfacilitatingroleindigitalcrimeandthemeasurestheycantakeagainstit.
Asecondroundofmeasurementsshowedthatsomehostingprovidershadimproved.
Someproviderscontinuedtoscorepoorlyintermsofbadhosting,orhaveevendeteriorated.
Alongwithotherindicators,suchasthelackofcooperationwiththegovernmentandtheabsenceofpreventivemeasures,theresultsofNetherlandsCleanprovidedinsightintowhichprovidersmustbegivenextraattention.
Inthenearfuture,thepoliceandthePublicProsecutionServicearecertainlygoingtoconcentrateontacklingthesebadhosts.
TheultimategoaloftheNetherlandsCleanprojectis,however,achangeinbehaviourofhostingproviders.
Indoingthis,theindustryensures,throughself-regulation,theclean-upofthehostinginfrastructure.
ReportingobligationsOn1January2016,thenewPersonalDataProtectionActwentintoforce.
Withthis,thesupervisoryauthorityalsogotanewname:DutchDataProtectionAuthority.
Thelawalsoregulatesthatthereismoreauthority,includingtheauthoritytoissuefinesforviolationsofthelaw.
Withthislaw,theNetherlandshasgivensubstancetotheEUGeneralDataProtectionRegulation.
AccordingtothenewDataProtectionAct,after1January,companiesmustreportincidentsinvolvingthepossiblebreachofpersonaldata.
InthefirstweekofJanuary,asmanyastwentynotificationsweremadetothenewDutchDataProtectionAuthority;byApril,therewerealreadyatotalofathousandreports.
Thedatabreachreportingobligation,however,isdifferentfromthereportingobligationundertheDataProcessingandReportingObligation(Cybersecurity)Bill.
Thelatterreportingobligationappliestoorganisationsinthecriticalinfrastructure.
NotificationsaboutsecurityincidentsmustbefiledwiththeNCSC.
ThisreportingobligationispartofalargerbillregardingthetasksoftheNCSC,andisstillbeingdebatedintheHouseofRepresentatives.
6363Chapter5Resilience:Measures|CSAN2016InternationaldevelopmentsRegulationInthesummerof2015,aconsultationwasheldintheUSonthepracticaldetailsconcerningexportregulationswithrespecttointrusionsoftware.
In2013,technologyandtoolswithrespecttointrusionsoftwarewereaddedtotheWassenaarArrangementlistofdual-usegoods.
Intheparticipatingcountries,anexportlicensemust,therefore,beappliedforinordertoexporttechnology,softwareandtoolsforgainingaccesstoothercomputers.
ThesecuritysectorintheUnitedStatesrespondedenmassetotheconsultation.
Theyindicatedthatthecurrentdefinitionsofintrusionsoftwarewereveryproblematic.
344Microsoft,forexample,indicatedthatunderthisregulation,thecompanyexpectshavingtohandlehundredsofthousandsoflicensingrequestsperyear.
TheU.
S.
Governmentwasinstructedtoagainnegotiatetheaddition345ThisexportregulationhasbeeninforceinEuropesincelate2013andwasalsodiscussedatthelatestNCSCOneConference.
AsusshowedAmericathatmanufacturersdohavesomedegreeofresponsibilityforsecuresoftware.
InFebruary2016,themanufac-turerreachedasettlementwiththeFTConpoorsecurityinsoftwareforWiFirouters.
346Asushasagreedtoallowindependentsecurityauditsforthenext20years.
CooperationInSeptember2015,theU.
S.
andChinaconcludedadigitalnon-ag-gressionpact.
Thetreatyholdsthatthegovernmentswillnotcarryouteconomicespionageagainsteachother.
Thetreatysaysnothingabouttraditionalformsofespionage.
On6July2016,theEuropeanDirectiveonnetworkandinformationsecurity(NIB)wasadoptedbytheEuropeanParliament.
MemberStateshave21monthstoimplementthedirective(plusanadditionalsixmonthstodesignateprovidersofessentialservices).
Firstofall,theDirectiverequiresMemberStatestohavetheirnationalcybersecuritycapacityinorder,secondly,tostrengthencooperation(nationalandEU)and,finally,todesignsecurityandnotificationrequirementsforprovidersofessentialservices.
ResponsibleorcoordinatedvulnerabilitydisclosureOneoftheprioritiesoftheGlobalForumonCyberExpertiseisthefurtherpromotionofresponsibledisclosure.
ThiswasalsohighontheagendaduringtheDutchpresidencyoftheEuropeanUnion.
Nationallyandinternationally,therearevariousimportantdevelopmentsinthisarea.
Thefirstdevelopmentisthat,internati-onally,themaintermusedis'coordinatedvulnerabilitydis-closure'.
Theterm'responsible'isoftenseenasavaluejudgment,especiallytothedetector.
'Coordinated'endeavourstoindicatethatthisisanequivalentprocessforbothparties.
IntheUnitedStates,severalmulti-stakeholdermeetingshavebeenheldonpossibleregulationsconcerningvulnerabilitydisclosure.
TheNTIAisorganisingthesemeetingstogetherwithindustryrepresentatives,researchersandgovernment.
Theyareorganisedaroundfourthemes:awarenessandadoption,multi-vendordisclosure,economicsandincentivesand,finally,securityanddisclosure.
.
Inanincreasingnumberofsectors,itiscommontohaveavulnerabilitydisclosureprogramme.
AftertheexperiencewiththeJeepincident351GeneralMotorsannouncedageneralvulnerabilitydisclosureprogrammeforallproducts.
Severalairlineshavealsostarteddisclosureprogrammesandofferairmilesasarewardforreportingvulnerabilities.
Thepracticewithrespecttotheprofessionalisationofvulnerabilitydisclosureisalsoincreasing.
Severalcompaniesofferhelpinsettingupormaintainingavulnerabilitydisclosureprogramme.
Itisalsoincreasinglycommonforfinancialrewardstobegivenfornotifications.
Googlealonepaidoutmorethantwomilliondollarsin2015352InApril2016,theInternationalStandardisationOrganisation(ISO)madethedocumentonvulnerabilitydisclosure(ISO29147)publiclyavailable.
353Atthistime,workisalsobeingdoneonrevisingthisstandardfrom2014inordertoprocessnewinsightsinthefieldofvulnerabilitydisclosure.
RabobankandCIOPlatformNetherlandshavedrawnupaCoordinatedVulnerabilityDisclosureManifesto.
Signatoriesofthismanifestoendorsetheimportanceofthevulnerabilitydisclosureprocessandappreciatetheinteractionwithresearchersandthehackercommunity.
ThismanifestowaspublishedinMay2016.
Twenty-ninecompaniesintheNetherlandsandabroadhavealreadysignedit.
3546464Inthepastyear,therehavebeensomemajoroperationsagainstcybercriminalsinNetherlands,butalsoanumberoflargeoperationsabroad.
Inthespringof2015,thepolicearrestedtwosuspects.
Theyweree-mailingspamwiththesubject'incorrectinvoice'tosmallandmedium-sizedenterprises.
Inthatway,theywereabletoinstallRATsandtheygotaccesstotheinternetbankingaccountsofthecompanies.
Asaresultofthisinvestigation,inMay2016,thePublicProsecutionServiceandthepolicepublishedaninforma-tionsheetforSMEsincooperationwiththeNCSC,SMENetherlands,ECPandtheDutchPaymentsAssociation.
AnumberofmembersoftheLizardSquadwereconvictedinthepastyear.
The17-year-old'obnoxious'wasconvictedinMay2015,for,inparticular,hisswattingactivities.
347Also,inNorway,the17-year-old'zeekill'wasconvictedformorethan50,000offences.
348InJune2015,amajorinternationalinvestigationintomobilebankingmalwarewascompleted.
Here,animportantnetworkofcybercriminalswasroundedup.
Thisresultedinthearrestofatotalof60suspectsworldwide,ofwhichaboutfortyintheNetherlands.
Fourmainsuspectsweregivenprisonsentencesof24to39monthsintheNetherlands.
Also,partoftheinfrastruc-tureusedwasintheNetherlandsandwasdismantled.
InJuly2015,thecybercrimeforumDark0dewastakenoff-lineasaresultofalarge,internationaloperation.
343TheFBIworkedtogetherwithEuropolduringtheShroudedHorizonoperation.
Therewereactionsin20countrieswhereby70peoplewerearrested.
InAugust2015,ZiggowashitbymajorDDoSattacksfortwoevenings.
ThiscausedafailureintheZiggonetwork,resultinginabout1.
8millionoftheprovider'scustomershavingnointernetaccess.
InvideomessagesonYouTube,thecriminalsthreatenedtocarryoutnewattacksonZiggo.
KPNhasalsobeenthetargetofDDoSattacks.
Duringthepoliceinvestigation,theDDoSattackwasclaimedanonymouslyontheinternet.
Theimpressionwasthattheguyswantedtoshowthattheyarecapableofgreatthings,suchasshuttingdowntheinternetserviceprovider.
Fivesuspectswerearrested.
Fourofthemwereminors(14-17yearsofage).
InthepreviousCSAN,itwasdescribedhowthepolice,inApril2015,succeededinprovidingaseriesofprotecteddecryptionkeystoransomwarevictims.
Throughcooperationwithanti-viruscompanyKaspersky,thepolicegotaclearerpictureofthesuspectsbehindthesecriminalactivities.
InSeptember,thepolicewereabletoarresttwomen(18and22yearsold)inAmersfoort.
TwoDutchsuspectswerearrestedinOctober2015.
Theymademanyvictimsbysettingupfakeweb-shopsforashortperiod(uptoseveraldays)onlineandsellingdesirablestuff(suchasphonesandcarrierbikes)thatwereneverdelivered.
InJanuary2016,EuropolannouncedthattheyhadcarriedoutasuccessfuloperationagainsttheDD4BCgroup.
ThisgrouphadbeenveryactiveduringthepastyearinblackmailingcompanieswithDDoSattacks.
Thisgroupthreatenedthousandsofcompa-nies.
Often,noofficialreportswerefiled.
AbuseHubwasalreadynamedinthepreviousCSAN.
Thisisacollaborationbetweenthevariousinternetserviceproviderstoexchangeinformationand,thus,tofightcybercrime.
SinceJanuaryofthisyear,thisinitiativehasbeenfurtherexpandedwithhostingproviders.
Viathisplatform,securityrisksandreportedabuseareautomaticallypassedontoclientswithoutgoingthroughthehostingparties.
Thegoalistomakeitasdifficultaspossibleforcybercriminals.
IntheNetherlands,theFIODhasalsoactedtoarresttheperpetra-torsbehindaphishingoperation.
InJanuary2016,a23-year-oldmanwasarrestedforthisinAlmere.
Heissuspectedof,amongotherthings,havingsentphishinge-mailsonbehalfoftheDirectorGeneraloftheTaxandCustomsAdministration.
350Onsocialmedia,amessageappearedonTuesday29MarchandWednesday30March2016thattheTaxandCustomsAdministrationwebsitewouldbeshutdown.
Becauseofthis,manypeoplewouldnotbeabletosubmittheirtaxreturnsintime.
ThecybercrimeteamoftheCentralNetherlandsPoliceUnit,incollaborationwiththeHighTechCrimeUnit,arresteda17-year-oldsuspect.
HethreatenedtoshutdownthewebsiteoftheTaxandCustomsAdministrationthroughaDDoSattack.
InApril2016,thepolicesecuredacompany'snetworkinfrastruc-ture.
Theownerwasarrestedformoneylaundering.
Thecompanysold,foranaverageof1500euros,BlackBerrieswithPGPsoftwaretoencryptmessages.
Themembershipfeeamountedto3,000eurosperyear,onaverage.
Thesephonesarenotsuitableformakingcalls,onlyforsendingmessages.
ThepoliceandthePublicProsecutionServicesuspectthatmostoftheusersusethephonestohideseriousandorganisedcrime.
Combatingcybercrime6565Chapter5Resilience:Measures|CSAN2016310http://www.
securityweek.
com/microsoft-warn-users-state-sponsored-attacks,consultedon5July2016.
311http://europa.
eu/rapid/press-release_IP-16-2461_en.
htm,consultedon3August2016.
312http://www.
verizonenterprise.
com/verizon-insights-lab/dbir/2016/,consultedon5July2016.
313http://cybersecurityraad.
nl/assets/csr_advies_cybersecurity_in_onderwijs_en_bedrijfsleven-vdef.
pdf314Furthermore,theSOChasthetaskofissuingfraudindicationstotheanti-fraudteamswithintheTaxandCustomsAdministration.
Throughissuingtheseindications,manymillionsofeurosinpossiblefraudulenttransactionshavebeenhalted.
315Since18February2014,theTaxandCustomsAdministrationhasbeenusingaresponsibledisclosureprocedure,whichhasbeenpublishedontheinternet,seewww.
belastingdienst.
nl/security.
316http://gs.
statcounter.
com/#desktop-os-ww-monthly-201503-201603317https://blog.
hboeck.
de/archives/865-Software-Privdog-worse-than-Superfish.
html,consultedon5July2016.
318http://en.
community.
dell.
com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate,consultedon5July2016.
319https://blogs.
technet.
microsoft.
com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/,consultedon5July2016.
320https://www.
forumstandaardisatie.
nl/fileadmin/os/publicaties/Monitor_OSb_2015_Definitief.
pdf321https://www.
aivd.
nl/actueel/nieuws/2016/04/21/aivd-jaarverslag-breed-palet-aan-dreigingen-voor-nederland,consultedon5July2016.
322Themeasurementfor.
nl-domainnameswasnotimplementeduntilearly2016.
Therefore,severalmonthsbeyondthereportingperiodhavebeenincludedinthegraphsoastoprovidemoreinsight.
323Thistop10isdeterminedonthebasisoftheMXrecordsoftheexamineddomainnames.
Itisconceivablethatseveralofthesesupplierslinkstandarde-mailhandlingtothedomainname,withoutalsomakinge-mailboxesavailableforthis.
324ThedatainthissectioncomesfromresearchthatispartofOpenINTEL(http://www.
openintel.
nl/),ajointprojectofSURFnet,theUniversityofTwenteandSIDN.
325https://bratec.
si/security/2016/04/27/road-to-hell-paved-with-saml-assertions.
html,consultedon5July2016.
326http://motherboard.
vice.
com/read/the-white-house-thinks-it-can-make-a-deal-with-companies-to-break-encryption,consultedon5July2016.
327https://assets.
documentcloud.
org/documents/2714001/SB-Shooter-Order-Compelling-Apple-Asst-iPhone.
pdf,consultedon5July2016.
328http://www.
apple.
com/customer-letter/,consultedon5July2016.
329https://blog.
whatsapp.
com/10000618/end-to-end-encryption,consultedon5July2016.
330https://https.
cio.
gov/331https://www.
rijksoverheid.
nl/documenten/kamerstukken/2016/01/04/tk-kabinetsstandpunt-encryptie,consultedon5July2016.
332https://www.
tweedekamer.
nl/kamerstukken/amendementen/detailid=2015Z23825&did=2015D48058,consultedon5July2016.
333http://www.
routingmanifesto.
org/334https://tn-init.
nl/335https://www.
idensys.
nl/fileadmin/bestanden/idensys/documenten/basisdocumentatie/pia/310715_Managementsamenvatting_van_de_finale_ver-sie_van_de_PIA.
pdf336https://www.
rijksoverheid.
nl/documenten/kamerstukken/2016/02/17/kamerbrief-over-verzoek-overzicht-lopende-pilots-e-id-met-vermel-ding-van-deelnemende-partijen,consultedon5July2016.
337http://www.
betaalvereniging.
nl/giraal-en-online-betalen/idin/,consultedon5July2016.
338https://www.
cybersecurityraad.
nl/actueel/digitale-ketenveiligheid-krijgt-veel-te-weinig-aandacht.
aspx,consultedon13July2016.
ConclusionandlookingaheadCybersecurityhasclearlyfounditsplaceontheadministrativeagenda.
Thispastyear,thishasresultedintovariousmeasuresaimedathumans,technologyandorganisations.
Thedemandforcybersecurityprofessionalsremainshigh.
Thiscanleadtoproblemsinthefuture.
Theclassictechnicalmeasures,suchasbackupsandnetworksegmentation,areagainprovingtheirworthbecausetheyreducetheimpactofransomwareattacks.
Newmeasuresthathavebeenaddedtothe'complyorexplain'listarealsoreceivingmoreattentionbecausetheycanbetestedeasilywiththewebsiteinternet.
nl.
Inthepastyear,measuresconcerningencryptionwereclearlypartofthepublicdebate.
Measureshavebeentakenforabetterapplicationofencryption,suchasnewobligationsregardingTLS.
Inaddition,Let'sEncryptismakingcertificatesmoreaccessible.
Atthesametime,thismakesthefieldoftensionbetweentheinterestsofsecurityanddetectionevenclearer.
Thathasledtoaninternationaldiscussion.
TheNetherlandswasthefirstcountrytospeakoutinfavourofencryption.
Itdoesnottakestepstolimitthedevelopment,availabilityoruseofencryptionalgorithms.
Vulnerabilitydisclosurereceivedagreatdealofattentioninthepastyear.
Anincreasingnumberoforganisationsareimplemen-tingit.
Internationally,thispracticeisbecomingmoreandmoreacceptable.
Anincreasingnumberofcompaniesarespeakingoutpubliclyinsupportofthis.
Notes6666339https://www.
ncsc.
nl/actueel/factsheets/factsheet-bescherm-domeinnamen-tegen-phishing.
html340https://tools.
ietf.
org/html/rfc7672,consultedon5July2016.
341http://www.
consumentenbond.
nl/campagnes/updaten/updates-naar-android6/,consultedon5July2016.
342Source:police.
343Source:police.
344https://threatpost.
com/security-researchers-sound-off-on-proposed-us-wassenaar-rules/113023/,consultedon5July2016.
345https://langevin.
house.
gov/press-release/white-house-responds-langevin-and-mccaul-wassenaar-concerns,consultedon5July2016.
346https://www.
ftc.
gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put,consultedon5July2016.
347"Swatting"meanstippingoffthepoliceanonymously,resultinginaSWATteamraidinganinnocentvictim.
348http://www.
dailydot.
com/crime/lizard-squad-indicted-julius-kivimaki/,consultedon5July2016.
349http://motherboard.
vice.
com/read/the-mysterious-disappearance-and-reappearance-of-a-dark-web-hacker-market,consultedon5July2016.
350https://www.
security.
nl/posting/458110/FIOD+arresteert+man+wegens+phishingmails+Belastingdienst,consultedon5July2016.
351http://www.
wired.
com/2015/07/hackers-remotely-kill-jeep-highway/,consultedon5July2016.
352https://googleonlinesecurity.
blogspot.
nl/2016/01/google-security-rewards,consultedon5July2016.
353http://standards.
iso.
org/ittf/PubliclyAvailableStandards/c045170_ISO_IEC_29147_2014.
zip354http://www.
thegfce.
com/news/news/2016/05/12/launch-manifesto-on-responsible-disclosure,consultedon5July2016.
6767Chapter5Resilience:Measures|CSAN20166868SMEsareimportantfortheeconomy,butarefragileinthedigitaldomain69696InterestsCybersecuritymeanstakingstepstopreventdamagebeingcausedbyITbeingdisrupted,interruptedorexploitedand,ifsuchdamageoccurs,repairingit.
Thepreventionofdamage,includingthroughdigitalmeans,isintheinterestsoftheNetherlands.
Thegovernment'spositiononencryptionshowsthatthegovernmentismakingtheinterestsofcitizens,businessesandgovernmentapriority.
Itseesnopossibilitytoweakenencryptionwithoutaffectingthoseinterests.
Thedatabreachreportingobligationcanensurethatorganisationspaymoreattentiontomeasurestoprotectpersonaldata.
Theimportanceofsmallandmedium-sizedenterprisesfortheNetherlandsisgreat:manychainscontainSMEs.
However,intheareaofcybersecuritymeasures,thisgroupislaggingbehind.
DisruptionofITsystemsandleaksintheirsecurityharmtheinterestsofindividuals,organisationsorsociety.
Thisisreflectedininterestsintheareaoffreedom,securityandsocietalgrowth.
355SocietalinterestsFreedomITplaysacentralroleinsociety.
Fundamentalvaluesandrightsarenolongerseparatefromthetechnicalenvironmentinwhichtheyoccur.
Thesevaluesandrightsmust,therefore,beguaranteedinthedigitaldomain.
SecurityThesecurityofsociety,ingeneral,andcitizens,inparticular,ispartlydependentonIT.
FailureofIT-basedservicesandprocessescanhavemajorsocialconsequencesintermsofsecurity.
Also,itcanaffectthesafetyofcitizens.
Confidenceinthedigitaldomainisessentialforensuringsafety.
SocietalgrowthThedevelopmentofITandtheinnovativepoweroftechnologicaldevelopmentarekeydriversforgrowth.
Asidefromeconomicgrowth,italsoconcernssocialgrowth.
Digitisationofferssocietynewopportunities,forexampleintheformofapplicationsforeducationalpurposes,possibilitiestomaintainsocialcontactsandimprovedgovernmentfacilities.
ThedevelopmentofinterestsInterestsoftenremainstableoveralongerperiodoftime.
However,therehavebeendevelopments:theuseofdigitalresourcesischanging.
Thesedevelopmentsmostlyfocusontheeffectthatgrowthintheuseofdigitalresourceshasonexistinginterests.
Government'spositiononencryption:nomeasurestoweakenencryptionInJanuary2016,thegovernmentsentitsposition356onencryptiontotheHouseofRepresentatives.
Thepositionofthegovernmentisthattheimportanceofencryptionforgovernment,businessesandcitizensisgreat.
Cryptographyplaysakeyroleintechnicalsecurityinthedigitaldomainandmanycybersecuritymeasuresinorganisationsrelyheavilyontheuseofencryption,accordingto7070thegovernment.
Thegovernmentbelievesthatthereis,currently,noinsightintopossibilitiestoweakenencryptionproductswithouttherebyaffectingtheinterestsofgovernment,industryandcitizens.
Introducingatechnicalentrywayintoencryptionproductstoenablelawenforcementagenciestobeabletoviewencryptedfiles,forexample,mightmakedigitalsystemsvulnerableto,forexample,criminals,terroristsandstateactors.
Communicationbythegovernmentisincreasinglydigital.
Oneoftheagreementsfromthecoalitionagreementisthat,by2017,allcommunicationbetweencitizensandbusinessesandthegovernmentmustbedigitallyavailable.
Also,informationwithinthegovernmentisincreasinglydigital.
Forthesecases,thepossibilitiesofencryptionareessential.
Encryptioncanensurethatthedataisprotectedagainstperusalbythirdparties.
Encryptionenablesbusinessestosecurelystoreandsendcorporateinformation.
Iftheycanuseencryption,thatstrengthenstheinternationalcompetitivepositionoftheNetherlands.
Confidenceinsecurecommunicationanddatastorageisessentialforthe(future)growthpotentialoftheDutcheconomy.
Thisisprimarilyinthedigitaleconomy.
Theinterestsofbusinessesinthefieldofsocialgrowthisthusprotected.
Finally,encryptionsupportscitizensinprotectingthemselvesagainstinfringementsofprivacyandagainstrestrictingfreedomofexpression.
Thisallowscitizenstoprotecttheirinterestsintheareaoffreedomandsecurity.
Encryptionprovidesbenefitstogovernment,thebusinesscommunityandcitizens.
Atthesametime,italsooffersmaliciouspersonstheabilitytoconcealtheirconductinthedigitaldomain.
Thiscankeepthemoutofsightofinvestigative,intelligenceandsecurityservices.
Thistouchesuponthesecurityinterest.
Thegovernmentconsiderstheadoptionofrestrictivelegalmeasuresagainstthedevelopment,availabilityanduseofencryptionwithintheNetherlandsnottobedesirableatthistime.
DatabreachreportingobligationThedatabreachreportingobligation357whichtookeffecton1January2016,willcontributetotherespectforandtheprotectionofprivacy.
Anyonewhoprocessespersonaldatamustprotectitagainstlossorunlawfulprocessing.
Ifthisprotectionfails,andthereisasecuritybreachofpersonaldata,thiswillconstituteadatabreach.
SeriousdatabreachesmustbereportedtotheDutchDataProtectionAuthority.
Insomecases,thepersonconcernedmustalsobenotifiedofthedatabreach.
Theintroductionofthedatabreachreportingobligationhadimpactonmanycompanies.
Theyhadtothinkabouthowandwhentheorganisationwouldproceedinreportingadatabreachand,inmanycases,organisationshadtoadapttheirinternalprocessesinordertopreventdatabreaches,theirnotificationandthefinesandpotentialreputationaldamage.
Thiscouldencouragecompaniestotakebettermeasurestoprotectpersonaldata.
CybersecurityinSMEsofimportanceforsocietySMEsconstitutealargegroupofcompaniesandaccountfor61percentofgrossdomesticproduct.
358Inaddition,manyvitalprocessesarepartofachainandSMEsareoftenalsopartofthis.
SMEsare,therefore,importantnotonlyfortheeconomy,butalsoforsociety.
Althoughthisisthecase,SMEshavelowdigitalresilience.
Alongwiththegrowingthreatofprofessionalcriminals,thisrepresentsagrowingrisktotheeconomicinterestsoftheNetherlands.
Toagreaterorlesserextentoverthepastfewyears,largecompaniesandorganisationshavenearlyallbeeninvestingincybersecuritymeasures.
ThisisnotthecaseforSMEs.
ResearchbyInterpolisshowsthatentrepreneursunderestimatetheriskofdigitalthreats.
359Athirdofthebusinessessurveyeddidnotpayregularattentiontodigitalthreats.
ManySMEshavenoideaaboutcybercrime.
Theprotectivemeasurestheytakearebasic,suchasusingvirusscanners,firewallsandencryptingWiFiconnections.
Thisisstriking,becauseresearchshowsthat74percentofSMEssaythattheyarelargelyorentirelydependentonIT.
360Thesamestudyreportsthatmorethan28percentofSMEshavebeenvictimsofcybercrime.
Inrecentyears,however,attentionhasbeenpaidtodigitalsecurityofSMEs.
InordertoreachSMEsbetter,thethemeoftheannual'AlertOnline'campaignwasdigitalresponsibilityinbusiness.
361This,however,seemsinsufficienttoprotectSMEs,whichareanessentialpartyinsocietyandincriticalprocesses,wellenough.
QualityrequirementsasimplicitexpectationITsystemsandtheinternetareanintegralpartofmanyprocesseswithinsociety.
Thegovernmenthassetupitscommunicationwiththepublicthroughtheinternetandlaysoutitsservicesindigitalportals.
Forthebusinesscommunity,theanalogueworldhas,forsomeitems,longbeenanideafromthepast.
Thisisnotnew,butthetrendiscontinuing.
Whatisstriking,isthatusersimplicitlysetqualitydemands,inthebroadestsense,onIT.
TheyexpectITprocessestowithstanddisturbancesintheareaofavailabilityandinfringementofintegrityandconfidentiality.
Theseexpectationsareoftennotexpressed.
Theexpectationandtheactualoutcomeofmeasurestakendonot,therefore,correspondwitheachother.
Fromatraditionalinformationsecuritypointofview,requirementsaresetonavailability,integrityandconfidentialityofinformationandinformationsystems.
Serviceproviders,inturn,feeltheneedtotake'duecare'oftheinformationoftheirclients.
363Evenifcontractuallyagreedavailabilityrequirementsaremet,butamalfunctionoccursanyway,theexpectationofclientsthattheirunspokendemandsarenotbeingtakenintoaccount,isfelt.
Therequirementfor99.
9%availabilitycanbeagreeduponwhile,duringtheChristmasseason,thereistheimplicitexpectationthatthisshouldbe100percent.
7171Thiscanalsobeenseeninotherareas.
Consumersknowthattheirmobileproviderwillgivethemacertainquality.
Theyalsoexpectthisintheirbusinesspractices.
Specialsubscriptionsforhighavailabilityandspecificservicesareskippedbecauseofcostconsiderations.
363Thebusinesscommunitypreferscheaperstandardsubscriptionsfor,forexample,businessdatatraffic.
Throughcostsavingsandimplicitexpectations,thebusinesscommunityrunsunnecessaryrisks.
ConclusionandlookingaheadCybersecurityaffectstheinterestsofindividuals,organisationsandsociety.
Theseareinterestsintheareaoffreedom,securityandsocietalgrowth.
Theseinterestsoftenremainstableforlongperiodsoftime.
Thepastyear,anumberofdevelopmentshavebeenobservedinthisarea.
Thegovernment'spositiononencryptionshowsthatthegovernmentismakingtheinterestsofcitizens,businessesandgovernmentapriority.
Itseesnopossibilitytoweakenencryptionwithoutaffectingthoseinterests.
Thedatabreachreportingobligationgoeshandinhandwiththeabilitytoimposesanctionsonorganisationswithdatabreaches.
Thiscanencouragetheseorganisationstomakesurethatthesecurityofthisdataisinorderandtokeepitthatway.
SMEsareimportantfortheNetherlands.
ManychainscontainSMEs,andthesamegoesforchainswithinthecriticalprocesses.
Thisgroupislaggingbehindintermsofcybersecuritymeasures.
ThatmeansarisktocriticalprocessesandthusfortheDutchsociety.
Usersimplicitlysethighqualityrequirementsondigitalservices.
Withoutexpresslyverbalisingthis,theyassumethatavailability,integrityandconfidentialityarehigh.
Serviceprovidersfeelthenecessityof'duecare,'butcannotmeetalltheimpliedexpectations.
355NationalCyberSecurityStrategy2,https://www.
rijksoverheid.
nl/documenten/rapporten/2013/10/28/nationale-cyber-security-strategie-2.