The State of IT Security in Germany 2015 the STATE of IT SECURITY in GERMANY 2015 | CONTENT the STATE of IT SECURITY in GERMANY 2015 | CONTENT
Total Page:16
File Type:pdf, Size:1020Kb
The State of IT Security in Germany 2015 THE STATE OF IT SECURITY IN GERMANY 2015 | CONTENT THE STATE OF IT SECURITY IN GERMANY 2015 | CONTENT Content 2.2.4 Spam 28 2.2.5 Botnets 30 2.2.6 Distributed denial of service (DDoS) attacks 30 Foreword 4 DDoS attacks on Federal Government and the German Bundestag websites 31 1 IT security between the conflicting priorities of innovation, globalisation and complexity 5 2.2.7 Drive-by exploits and exploit kits 32 2 Current exposure 8 Thousands of websites direct users to an exploit kit 33 2.1 Causes and determining factors 9 2.2.8 Identity theft 34 2.1.1 Cloud Computing 9 2.3 Cyber-attacks: Motivation and goals 35 2.1.2 Software vulnerabilities 10 2.3.1 Intelligence-related cyber-attacks 35 Blackmail attempt after the web server was compromised 11 2.3.2 Cyber-crime 36 IT security certification: Confidentiality and security design 12 An attack on the Hacking Team company 36 2.1.3 Hardware vulnerabilities 13 3 Current exposure: Federal Government 37 Vulnerability of Intel Management Systems 14 3.1 Defending against attacks on Government networks 38 2.1.4 User behaviour and manufacturer responsibility 14 3.2 Notifications from the Federal Administration 39 2.1.5 Cryptography 15 Information security in authorities 39 Current attacks on encryption methods 16 4 Protection of critical infrastructures: IT security for public welfare 40 2.1.6 Internet protocols 16 Targeted attacks on the infrastructure of financial institutions 41 2.1.7 Mobile communication 17 4.1 Critical infrastructures depend on functioning IT 42 Stagefright gap in Android: Careless update behaviour on the part of manufacturers 18 4.2 The IT Security Act 42 2.1.8 App security 18 Cyber-attack on the French television broadcaster TV5MONDE 43 2.1.9 Industrial control system security 20 4.3 The threat level for critical infrastructures 44 US researchers hack all-terrain vehicles 21 Extortion: DDoS attacks on critical infrastructure companies 44 2.2 Attack methods and means 22 Spear phishing targeted at critical infrastructure companies in the energy sector 45 2.2.1 Malware 22 5 Overall assessment and summary 46 Ransomware in the hospital 23 5.1 Causes of threats 47 2.2.2 Social engineering 24 5.2 Collective responsibility for IT security in Germany 49 Social engineering by phone 25 Glossary 50 2.2.3 Targeted attacks – APT 26 A cyber-attack on the German Bundestag 26 Dealing with an APT attack 27 2 3 THE STATE OF IT SECURITY IN GERMANY 2015 | FOREWORD FOREWORD IT security between the conflict- The report by the Federal Office for Information However, neither the Government nor economy Security in Germany (BSI) on the current state of alone is able to guarantee IT security in our coun- IT security in Germany in 2015 provides informa- try. Everyone has a contribution to make. We ing priorities of innovation, tion on the type and extent of key IT threats and must therefore strengthen collaboration between resulting risks. The report is based on informa- Government and commerce, as well as finding new globalisation and complexity tion analysed by the BSI relating to weaknesses ways to collaborate. We must work together to help and vulnerabilities in currently used information make citizens aware of the risks and to show them technology, as well as to attacks on IT systems and how to work securely online. The more securely networks. each individual can navigate the internet, the bet- ter the protection for the state and society online. The report shows that the number of weaknesses and vulnerabilities in IT systems is continuing to The digital vulnerabilities of our society will run at a high level. Some of these vulnerabilities ex- continue to place demands on us over the coming pose serious security gaps. The asymmetric threat years. This BSI report on the current state of IT level in cyberspace continues to escalate, meaning security in Germany provides the basis to enable that users’ protection of IT systems cannot always decision-makers in Government, commerce and keep pace with the often highly developed tools for society to properly address the risks to our country exploiting gaps in security. that are associated with digitisation. Therefore, I hope this report will be widely read by people who The following trends are especially clear on reading can then identify the areas that affect them, and the report: take action. Firstly, in view of the high number of identified vulnerabilities, some IT manufacturers tend to no longer provide security updates for their products’ security gaps where they believe that those gaps are less serious. This unnecessarily worsens the current level of exposure. Secondly, the number of attacks on industrial production facilities is rising, generating new com- mercial and economic risks. And thirdly, aspects of IT security are not always properly considered during digitisation, even if the failure of the relevant systems can result in far-reaching individual or societal consequences. The IT Security Act, which entered into force at the end of July 2015, is a key first step in improving the protection of IT systems and digital infrastructure in our country: we want them to be among the world’s most secure. Germany is well prepared for the task with the BSI acting as the statutory centre Dr. Thomas de Maizière of expertise for IT security matters. Federal Minister of the Interior 4 5 THE STATE OF IT SECURITY IN GERMANY 2015 | IT SECURITY BETWEEN CONFLICTING PRIORITIES THE STATE OF IT SECURITY IN GERMANY 2015 | IT SECURITY BETWEEN CONFLICTING PRIORITIES Mobile computing versus protection of Compatibility versus information security 1 IT security between the conflicting priorities of business-critical information innovation, globalisation and complexity When introducing modern and secure solutions, The trend toward the use of mobile IT contin- the justified demand for compatibility with exist- ues apace. In the private user sector, new device ing solutions can become a barrier. It often takes classes are already launching on the market, e.g. as time before improved security-related technol- The continuously high rate of innovation in A number of technological changes and their wrist watches and glasses (‘wearable computing’) ogies become established and obsolete, insecure information technology is expressed by its huge significance to IT security are described below. alongside established smartphones and tablets. solutions can be retired. One example of this is force for change and rapid penetration of all areas This will illustrate how quickly manufacturers and Smartphones and tablets already form part of the TLS/SSL protocol which is used in the internet of life and business. The saturation point of the users will find themselves in the field of conflict standard business equipment. As a result, the and in other networks for the encryption of data potential use of IT has not yet been reached. Quite described above. demand for processing business-critical informa- traffic. Many online servers are configured in such the opposite in fact: significantly higher growth tion on this type of device is growing. However, a way that older, insecure cryptographic methods rates can be expected in the miniaturisation and in view of the increasing risk of cyber-espionage, are approved, for internet users to be able to networking of intelligent systems. Developments many institutions have recognised that they must access the relevant website using older browsers. such as the ‘internet of things’ and ‘Industry 4.0’ Software-defined Everything versus Separation pay particular attention to protecting specific Another example is the use of older operating are just two examples of this. In a phase in which information. The reason for this process is that it systems for which the manufacturer no longer companies are developing their business models The current trend toward software-defined is mostly costly and impractical to establish the provides security updates. In the field of industrial further, or even establishing new ones, industry everything illustrates the conflict between func- same high level of security for the entire insti- controls and automation, IT systems can often and commerce as well as consumers are affected tionality and IT security. The term describes the tution. Instead of this, business-critical data, the simply be upgraded to a new operating system, by the onward march of digitisation. For Germa- trend toward architectures in which systems, ‘crown jewels’ are heavily protected, while proven sometimes because the manufacturer does not ny, this creates economic and social perspectives. networks, storage and – depending on design – standard security measures are implemented in support it or because there is no compatibility. It is increasingly clear, however, that continued also other elements of information processing are all other areas. For many institutions, the question digitisation is essentially determined by function- no longer defined statically by the hardware used, therefore arises of whether – and if yes, how – al and economic factors. Ongoing globalisation but can be configured dynamically (for example, business-critical data can be accessed from mobile increases the financial pressure on all parties to Software-defined Network, Software-defined Data devices. Here, the available modern security succeed. Against this backdrop, IT security is often Centre, or Software-defined Storage). The benefits solutions as well as individual risks should be overlooked. are clear: resources can be moved to where they considered. are needed more quickly and at lower cost. Organ- Providers who lag behind with respect to inno- isational changes can be mapped more easily, such vation and competitiveness run the risk of being as during mergers or acquisitions. Software-defined very quickly forced out of the market. This results Everything however competes with the basic Operational reliability versus protection in pressure to service the needs of a growing global requirement of information security based on against attacks customer base more quickly and functionally the separation of key processes and systems.