NATIONAL CYBER SECURITY STATUS REPORT FOR THE YEAR 2017 · SIR and CII on cyber security issues, to...

N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7

NATIONAL CYBER SECURITY CENTRE UNDERTHE MINISTRY OF NATIONALDEFENCE

NATIONAL CYBER SECURITY STATUS REPORT

FOR THE YEAR 2017

| 2 | | 3 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7

CONTENTSINTRODUCTION | 4

SUMMARY | 6

1. CYBER ATTACK THREAT MAP OF THE REPUBLIC OF LITHUANIA | 81.1. Usage of cyber security software in Lithuania | 9

1.2. Annual statistics on cyber security events of the networks of SIR

and CII managed by NCSC | 10

1.3. Disruption of electronic services | 11

1.4. Threat level of cyber incidents | 12

1.5. Statistics on cybercrime incidents in other sectors | 13

2. ELECTRONIC COMMUNICATION NETWORKS RECONNAISSANCE | 15

3. VULNERABLE INTERNET WEBSITES | 18

4. CYBER INCIDENTS AND SOCIAL ENGINEERING | 224.1. Falsification of the websites of public authorities | 22

4.2. Stealing the passwords from the employees of the state institutions | 26

4.3. Falsification of the bank emails and websites | 27

4.4. Cyber-attacks against smartphone users | 29

4.5. CEO fraud | 30

5. SPREAD OF MALICIOUS SOFTWARE | 32

6. ORGANIZATIONAL AND TECHNICAL REQUIREMENTS

ON CYBER SECURITY | 33

7. RESONATING CYBER INCIDENTS | 39

8. EXERCISE | 41

CONCLUSIONS, RECOMMENDATIONS AND PROGNOSIS | 43Conclusions | 43

Recommendations | 45

Prognosis | 48


INTRODUCTIONThe National Cyber Security Centre under the Ministry of National Defence

(hereinafter referred to as NCSC) started its activity on the 1st of January 2018, when

the updated Cyber Security Law of the Republic of Lithuania (No. XII-1428 of 11 De-

cember 2014) came into force. NCSC implements the cyber security policy and per-

forms the activities of the State Information Resources (hereinafter referred to as SIR)

and Critical Information Infrastructure (hereinafter referred to as CII1 ) cyber incident

management, prepares and submits proposals to the Minister of National Defence

regarding the organizational and technical requirements for cyber security applied

to SIR and CII, performs monitoring of compliance of these entities with the organi-

zational and technical requirements applicable to the cyber security. NCSC has the

duty to provide advice and recommendations to the owners and management of

SIR and CII on cyber security issues, to analyse the national cyber security situation

and to prepare reports on status of the national cyber security. One of the tasks of

NCSC is to ensure that CII management would have cyber defence plans and would

be able to carry them out.

In 2017 the Global Cyber Security Capacity Centre at the University of Ox-

ford made cyber security maturity assessment of Lithuania following the Cybersecu-

rity Maturity Model. After the assessment of the cybersecurity policy and strategy,

culture and society, education and training, regulatory framework, standards, orga-

nizations and technologies - the maturity of Lithuanian cyber security was rated as

“established”. Since 1st of January 2018 the consolidation of cybersecurity and elec-

tronic communications network security units and functions has been implemented

in order to enhance national cyber security capabilities and to ensure fulfilment of

the duties regulated by the law. NCSC started to act as a separate legal entity under

the Ministry of National Defence (hereinafter referred to as the MoND), after team-

ing up the cyber security specialists of the Cyber Security and Telecommunications

Services under the MoND (from 1 January 2018 - Information Technology Service

at the MoND), Government Communication Centre under the MoND and Security

Investigation Unit of the Communications Regulatory Authority. Integration of the 1 The Critical Information Infrastructure (CII) in the Law on Cyber Security is defined as an in-

formation infrastructure managed by a private or public administration entity where a cyber incident can seriously harm national security, the economy of the country, the interests of the state and society

functions and capabilities of NCSC and security incident investigation subdivision of

the Communications Regulatory Authority allowed the concentration of the cyber

security capabilities at the national level.

In 2017 NCSC continued installation of technical measures in the infra-

structure managed by the owners and operators of the CII and SIR in order to ensure

monitoring of cyber security status. Broadening of the monitored space has yielded

tangible results - more than four hundred cases of harmful software activity (which

cannot be detected by the standard security measures) have been detected and

neutralized.


SUMMARYNational Cyber Security Status Report for the year 2017 is prepared and

submitted to the Minister of National Defence by NCSC in accordance with the ne-

cessity indicated in section 6 part 2 article 10 of the Law of the Republic of Lithuania

on Cyber Security (hereinafter referred to as the Law). The status of cyber security is

evaluated taking into consideration the dominant cyber security threats and capa-

bility of the country to resist them. The report is prepared in conformity with the data

collected by the technical monitoring measures of NCSC, information presented by

the organisations and information received from the other sources.

The intensification of the reconnaissance of the electronic communications

networks of SIR and CII was observed in 2017. It has also been noticed that industrial

control system devices that operate in technological processes and have an inter-

net connection were also more often scanned, while cyber-attacks2 directed against

these devices can lead to physical consequences when the impact of technological

and industrial processes would disrupt the daily activities of the population and ser-

vices provided by the operators.

NCSC observed a growing number of cyber incidents - malware-based soft-

ware was distributed, mostly using cyber-attacks based on social engineering princi-

ples against human factors. The spread of harmful software, as compared to the year

2016 has increased in the areas of public security and legislation, foreign affairs and

security policy. The spread of harmful software in the energy sector remains high.

Large-scale of Distributed Denial of Service (DDoS) incidents were not ob-

served at national level, as it was during the year 2016, but the overall trend of these

types of attacks remained unchanged. Cyber-attacks of an average threat level are

usually carried out in Lithuania, i.e., the methods of the attacks and technologies are

not very advanced. However, NCSC periodically detects technically extremely com-

plex cyber-attacks. On the other hand, global cyber-attacks (WannaCry, NotPetya)

did not affect SIR and CII of Lithuania.

The National Unit for the Investigation of Electronic Communication Net-

works and Information Security Incidents CERT-LT which carried out activities at the

Communications Regulatory Authority of the Republic of Lithuania in 2017 pro-2 Cyber-attack is any type of malicious activity in cyberspace targeting electronic communica-

tions goals, information systems or industrial process management systems

cessed 54 414 incidents. A tenth more cyber incidents in public communications

networks were registered compared to the year 2016 (49 463 cases). The biggest

cyber security issues in the private sector in the year 2017 were malware and unsafe

information systems, including websites.

The total number of incidents processed by the cyber incident investiga-

tion units was 54 950, both in the public sector and in the private sector in general.

Statistics on such incidents signalize a major challenge to cyber security in the Lithu-

anian electronic environment, citizens, the public sector and business.

After evaluation of the vulnerability of the Lithuanian public sector web-

sites, it was found that in the year 2017 the number of vulnerable websites that could

be breached by only exploiting the already known vulnerabilities has increased. Or-

ganizations continue to avoid updating their software (used for the websites) on

time; purchase of website support and administration services generally does not

include cyber security obligation in the contracts.

NCSC observed a growing amount of state information resource managers

and administrators, critical information infrastructure managers implementing or-

ganizational and technical cyber security requirements (positive progress) – some

organizations have developed or updated documents regarding security policy es-

tablishment and implementation, installed technical measures to enhance cyber se-

curity in the organization. The number of SIR administrators and managers who par-

tially implemented the organizational requirements approved by the Government

increased by 47% in the year 2017, while the number of those who implemented

all requirements increased by 11, 5%. Concerns of the organizations over cyber-se-

curity are noticeable and for the most part organizations are planning to meet all

the requirements in the future. However, most of the entities failed to meet all the

organizational and technical requirements for cyber security set by the Government

in time.


1. CYBER ATTACK THREAT MAPOF THE REPUBLIC OF LITHUANIA

NCSC observed threats and tendencies in cybersecurity status which could

potentially cause the greatest damage to the Lithuanian cyber-security in the year

2017. (Fig. 1).

the spread of malicious software;

vulnerable websites;

social engineering;

reconnaissance of electronic communication networks;

denial of electronic services;

implementation of organizational and technical requirements for cyber security in SIR and CII.

Fig. 1. Cyber security threats and their tendencies which emerged in 2017 compared to 2016.

During the year 2017 malicious software was spreading rapidly. The num-

ber of vulnerable websites and reconnaissance inquiries in electronic communica-

tions networks increased, use of social engineering methods in cyberspace was more

often. Large scale distributed denial of service (DDoS) incidents were not observed

at the national level, as it was during the year 2016, but the overall trend of these

types of attacks remained unchanged. The level of implementation of organization-

al and technical cyber security requirements among CII and SIR has improved. The

assumptions of NCSC are confirmed by the data of CERT-LT (now part of NCSC) of the

year 2017 in accordance to which the greatest threats to cyber security in Lithuania

were malware and unsafe information systems, including the websites. NCSC points

out that these two threats correlate, i.e. poorly protected websites are breached by

abusing their vulnerabilities and used to carry out further malicious activities (for

i.e. spread malware). Malicious code or redirection links to the websites distributing

malicious code may be added to the overtaken websites, which aims to infect visit-

ing users’ computers with the viruses that encrypt data or use it’s resources to mine

cryptocurrency.

1.1. Usage of cyber security software in LithuaniaEnd point equipment with access to the Internet is the most vulnerable

part of the information systems of the organisations. Cyber security software (here-

inafter referred to as the software) helps to prevent threats, but with all the priv-

ileges, including the ability of access from the external entities, is most often not

controlled itself.

While assessing the state of cyber security in public sector institutions in

Lithuania, NCSC also identified the most commonly used security software (mostly

stopping the harmful code from executing) and its country of origin. Over 700 re-

spondents were interviewed. CII managers, the Lithuania’s state institutions, com-

panies and other organizations which manage information resources of the state

participated in the survey.

According to the survey, most often used software is created in the US – 49,

18%. Other software originated in Slovakia – 12, 45%, Czech Republic – 11, 53%.

Cyber security software produced in Russia is used by 4, 89% of the respondents

(Fig. 2).

Fig. 2. Overall distribution of the software in Lithuania according to the country of origin of the

software


NCSC notes that software and hardware used for cyber security is only a

part of the tools that provide cyber security solutions. Education and increase of

awareness of the organisation’s employees and computer users on the issues of

cyber security is extremely important. Furthermore, additional cyber threats may

emerge in the networks of the organizations, because of the uncontrolled activities

of the contractors and subcontractors. Because of these reasons it is important to en-

courage organizations to assess and improve cyber security of the state, taking into

account their internal organizational environment and to implement the organiza-

tional and technical requirements for cyber security established by the Government.

1.2. Annual statistics on cyber security events

of the networks of SIR and CII managed by NCSCDuring the year 2017, NCSC registered 8 cyber incidents of high importance

and 528 incidents of medium importance. Most incidents of medium importance are

related to the malware activity. For comparison 489 incidents of high and medium

importance were registered in 2016.

According to the data recorded by NCSC, it could be concluded that the

number of registered cyber incidents in Lithuania is increasing.

1.3. Disruption of electronic servicesOne of the most popular cyber-attacks against electronic services is Distrib-

uted Denial of Service, (hereinafter referred to as DDoS), which aims to influence the

availability of electronic services and servers.

NCSC investigated a large-scale DDoS attack against one of the SIR manag-

ers: the cyber-attack was targeted at the health sector website, while also attacking

other subjects in the same IP range. TCP SYN Flood traffic was directed to the website

of the organization from more than 10 000 IP addresses. The incident is classified as

a medium importance cyber incident.

NCSC points out that, according to various sources, there is an increase in

the number of attacks against the equipment from the Internet of Things (IoT), cap-

ture and exploitation of it for DDoS attacks. In the year 2017, CERT-LT observed 24

612 devices with security vulnerabilities (20 690 devices in 2016)3.

NCSC notes that security measures should be synchronized and imple-

mented in the infrastructure of a service provider.

3 The National Electronic Communications Networks and Information Security Investigation Division of the Republic of Lithuania activity report for 2017. https://www.cert.lt/doc/2017.pdf

Group Category I quarter

II quarter

III quarter

IV quarter

Total No of incidents:

Malicious software

High importance 1 0 4 1 6

Medium importance 97 81 134 180 492

Hacking



CIS *disturbance



Violation of integrity


Total No of incidents: 126 84 141 185 536

Table 1. Incidents of high and medium importance registered by NCSC in 2017

* CIS – communication and information systems


1.4. Threat level of cyber incidentsIn order to determine the threat level of cyber-attacks which took place in

2017, NCSC performed an analysis and evaluation of medium to high-level cyber

incidents in order to determine the malicious software used for attacks, possible cul-

prits, motives, intentions, sophistication of technological attacks, and other factors

that shows the level of the threats.

For the most part, carried out cyber-attacks are usually of the medium

threat level, i.e. methods and technologies of the attacks are not very advanced (Fig-

ure 3). Nevertheless, NCSC periodically detects technically complex, continuous and

targeted cyber-attacks, the purpose of which is to infiltrate specific systems and pro-

ceed with the exfiltration of information.

1.5. Statistics on cybercrime incidents in other sectorsIn the year 2017, the National CERT-LT investigation unit processed 54 414

incidents based on reports received from the Lithuanian electronic communications

service providers, foreign CERT services conducting international incident investi-

gations and the Internet users from Lithuania. Compared to the year 2016 (49 463

cases) there were recorded a tenth more cyber incidents.

Table 2. Incidents analysed by their types by CERT-LT in 2017

Figure 3. Total average of the threat assessment of cyber incidents examined by NCSC in 2017

0

1

2

3

4

5

6

The complexity ofreconnaissance technique

Attack vectors

Exploitation ofvulnerabilities

Malware capabilities

Trace hiding method level

Type and quantity ofaffected targets

Innovation level

Duration of undetectedoperation

Motives

Intent

Capacity level of anattacker

Impact

Types of processed incidents

The year 2017

I q. II q. III q IV q. Total:

About malicious software

2 580 2 755 2 898 2 606 10 839

About taking over the information systems

2 962 2 775 2 704 2 510 10 951

About E-service interruptions

12 7 11 20 50

About E-data falsification

340 376 257 264 1 237

About integrity violations

2 7 4 2 15

About device security flaws

5 848 5 938 6 464 6 362 24 612

Various 2 899 1 672 943 1 196 6 710

According to the 2017 statistics, there are two major cyber security issues

in Lithuania: malware (malicious code) and unsafe information systems, including

websites. These security issues complement each other and increase the potential

risk to Internet users. According to the data of CERT-LT about 3 000 computers were

remotely managed unknowingly to the owners in Lithuania during 2017.

There were 10 951 incidents of overtaking the information systems during

2017 (during 2016 there were 10 673 incidents). These types of incidents include ma-

licious software and breached websites. On average CERT-LT registers 10 new over-

taken web sites every day. Since autumn, the number of overtaken websites used

for mining cryptocurrency is increasing. As the cryptocurrencies are getting more

popular, the creators of ransomware are also getting more active. Both the individual


users and the companies suffer from this type of threat. During 2017 there were 10

839 (in 2016 – 11 212) incidents related to ransomware. 2. ELECTRONIC COMMUNICATION NETWORKS RECONNAISSANCE

One of the most common, easiest and relatively most effective cyber re-

connaissance tools during 2017 remained scanning the ports of network devices.

Port scanning may not necessarily be carried out to achieve malicious intent, but

this reconnaissance method is still one of the first steps to gather information about

the specific types of equipment, services and protocols, software and other potential

vulnerabilities for subsequent cyber-attacks. In the year 2017 the number of port

reconnaissance cases increased. Compared to the year 2016 interest in the 23rd port

increased (this port is used for Telnet protocol, unencrypted communication).

By comparing port scan statistics of NCSC with the most up-to-date data

on attacked ports provided by CERT-LT, it can be stated that the same ports are com-

monly scanned in both - the public and private sectors – 23, 22, 445, 1433.

Figure 4. The main types of incidents in the private sector in 2017

The distribution of false emails, which are imitating the head of the compa-

ny where the subordinate is asked to carry out the financial operations (CEO fraud)

continues to grow. During the year of 2017 there was an increase in the number of

falsification of the popular websites: CERT-LT investigated 1 237 cases of phishing. In

comparison during 2016 the number was 555. Fake websites are created in order to

make profit. During 2017 emails and short messages containing a link to the bank’s

fake website were still very popular.

13% Various incidents

45% Device security vulnerabilities

2% E-data falsification

20% Compromised system

20% Malware

45%

13%

20%

2%

20%

Figure 5. Port scan statistics in the networks monitored by NCSC during 2017

During the year 2017 NCSC paid particular attention to the ports used for

technological processes and their reconnaissance: the number of scans is increasing

and correlates with the scan statistics of other ports.


The monitored ports are related to the devices, such as programmable logic

controllers, which can control specific technological processes capable of generating

kinetic effects (for example, such equipment can be used to control water treatment

plants, control power supply, distribution, transport control systems, etc.).

The cyberspace monitored by NCSC is being scanned from different territo-

ries. It is important to emphasize that IP addresses in accordance with the scanning

statistics only specify the geographic location of the final scanning facilities. The real

scanning entities may use intermediate connections to connect to these devices, so

their actual geographic location based on the primary data cannot be determined.

In most cases, the range of Lithuania is scanned (including search of ports

used in industrial networks) from the territories of the following countries: the United

States of America, Russia and China. It should be noted that more than a half of the

devices operating on industrial networks, that are being searched for, use BACnet,

ModBus, Niagara Tridium Fox and Siemens S7 protocols (Table 3). One-third of the

IP addresses from which NCSC monitored cyber-space was scanned are described as

malicious addresses by various sources.

Industrial process control devices operating on specific networks are often

connected to the terminal equipment with an Internet connection. End point devic-

es are not updated on time due to the specifics of compatibility or of high prices. As

a result, the risk of cyber-attacks targeting industrial networks is increasing, so it is

important to ensure that information systems that control the industrial processes

do not have Internet connectivity or should be additionally protected with commu-

nication encryption.

No Title %

1. BACnet 20,72. Modbus 15,43. Niagara Tridium Fox 12,84. Siemens S7 9,05. EtherNet/IP 8,26. DNP3 6,37. Mitsubishi Electric MELSEC-Q 5,08. Omron FINS 4,99. PCWorx 3,6

10. HART-IP 3,211. ProConOS 2,912. Red Lion Controls Crimson V3 2,813. Codesys 2,614. GE Industrial Solutions-SRTP 2,215. IEC 60870-5-104 0,3

Table 3. Reconnaissance of the equipment used in technological processes by protocols and/or

equipment manufacturers in 2017.


3. VULNERABLE INTERNET WEBSITES

Usually organizations publish information about their activities and pro-

vided services on the websites. It is important to emphasize that the organizations,

depending on the range of the services provided, use different means of information

technology of various complexity, therefore purchase and maintenance of the ser-

vices are funded differently; accordingly the quality is often not assessed in accor-

dance with security criteria.

Organizational websites are accessible by specific domain names, which in

the online register of the names are linked to the IP addresses of the website hosting

service (hereinafter referred to as HS). The software on the HS side processes the re-

quests received and passes the information to the requesting entity. A cyber-attack

in this case may be manipulation and creation of atypical work conditions by pro-

voking disruptions within the HS software and hardware components, creating the

possibility to affect the components of a website and the integrity, confidentiality

and availability of information.

The HS Software (hereinafter referred to as the software) consists of: op-

erating systems (hereinafter referred to as the OS), website broadcasting service,

hypertext interpreter, content management system (hereinafter referred to as the

CMS) and other additional network services such as e-mail, data exchange or re-

mote administration programs. The flaws in the software are periodically discovered

– exploitation of these vulnerabilities during an attack may lead to the disruption

of service, possibility to upload harmful program code, gain access to the data frag-

ment, possibility to modify data or influence the program and the functioning of the

website.

Malicious code is uploaded to the affected sites in order to distribute it,

intentionally infect visitors of the website; to exploit these websites as intermediate

proxies for the other attacks.

In order to determine the security level of the websites and changes over

time in 2017, NCSC carried out two security evaluations of the websites. According to

the initial list of websites, approximately 1200 public sector websites were tested. The

study was performed on the basis of statistical modelling, analysis of the information

sent by the server during normal site browsing (GET request HTTP header banner),

technical data from public catalogue databases and information received by the pas-

sive scanning tools about website hosting servers and website broadcasting software.

The network services operating on TCP/IP protocol ports 80, 443 were evaluated.

Fig. 6. The state of cybersecurity of the public sector websites in 2016-2017. *

Difficult to hack 48%

Easy to hack 34%

Very easy to hack 18%


Easy to hack 52%



Easy to hack 34%



Easy to hack 52%


2016

201725%

48%

52%

34%

23%

18%Difficult to hack 48%

Easy to hack 34%



Easy to hack 52%


* Very easy to hack - technical knowledge or special programming skills are not required. Suc-cessful attacks are easily reproduced, the instructions for necessary actions are easily found on the internet.

Easy to hack – there is a need for necessary skills and knowledge, usually published in closed groups.

Difficult to hack – there is a need for deeper knowledge and skilled specialists, vulnerabilities are not yet publicly available.


The study showed that during the year 2017 23% of the checked public sec-

tor websites may be disrupted by low qualification, 52% by medium and 25% by highly

skilled intruders. In the year 2016 nearly one-fifth of the websites (18%) could be hacked

with no specific technical knowledge or special programming skills, up to 34% of the web-

sites could be hacked with the appropriate level of skill and knowledge, while 48% sites

were relatively safe - only highly qualified specialists could potentially hack it. (Fig. 6).

Usually, websites are exploited through HS Software, security vulnerabili-

ties of CMS and its plugins, insufficient HS security configuration, misuse of adminis-

trative privileges and access, very easy to guess or default passwords.

In the year 2017 it became very popular to exploit websites and use them

to generate cryptocurrencies, using computers of website visitors to do the mining

calculations. Visitors, who opened the infected website, unknowingly enabled the

malicious code, which starts the cryptocurrency mining process in the name of the

intruders of the website. It was noticed that in certain cases, the code for crypto-

currency generation also could have been uploaded by the owners of the websites

themselves.

When comparing the data of 2015 - 2017 (2016 positive website security

trend was observed), it can be seen that during the year 2017 the number of web-

sites that are very easy to hack slightly increased (23%), the number of websites that

were easy to hack increased the most (from 34% to 52%) and the number of websites

that were difficult to hack compared with the year 2016 decreased (to 25%) (Fig. 7).

In general, it can be said that the security state and resilience of the web-

sites of the public sector became worse in 2017. This conclusion is confirmed by

CERT-LT study performed in 2017, according to which about 70% CMS of websites

are outdated.

In order to protect publicly accessible systems or websites from being ex-

ploited, it is necessary to regularly update the software used on the servers, restrict

access to the administration interface (for example, through access control lists), use

additional security measures (such as firewalls for web applications), strictly con-

trol accounts administration privileges, use of complex and regularly changed pass-

words, periodically audit logs.

Fig. 7. The change of vulnerability of the websites according to the hacking complexity during

2015-2017


4. CYBER INCIDENTS AND SOCIAL ENGINEERING

Social engineering techniques are used to manipulate emotions of people

and to use psychological effects to force users to conduct potentially harmful actions

(click links, open websites, download files, enable malicious code, reveal personal

or login details). The most popular methods – Phishing and Baiting – are used to

obtain information for further cyber-attacks, to spread malware in the networks of

organizations. For example, after opening a document sent via e-mail and enabling

macro commands (Fig. 8), a malicious payload is downloaded to the workstation.

Code encrypts user’s data and then asks the user for a ransom (Fig. 9). The malicious

.docx, .xlsx or .pdf documents are being sent most often. In order to avoid security

checks, these files are often archived, and the password is provided to the user in the

text of the message sent (Fig. 10).

The number of letters created using social engineering principles has in-

creased by one and a half times during 2017. NCSC registered over 188.500 social

engineering emails per year in one of the monitored institutions. During 2016 the

number was 106.000, in 2015 - more than 37.000.

NCSC observed the targeted distribution of emails created using social en-

gineering principles in the year 2017. It should be emphasized that the actual web-

sites and information systems of the institutions and organizations (see examples

below) have not been hacked, but their fake versions, which uses the design ele-

ments, colours, logos and names are shown.

4.1. Falsification of the websites of public authoritiesIn the year 2017, NCSC has investigated several cyber-attacks initiated and

based on social engineering methods. During these attacks the letters were sent

with the links to fake websites of the state institutions. One example is the State Tax

Inspectorate (hereinafter referred to as the STI). Efforts were made to use the name

of the STI to get the credit card data, while pretending to return the excessive tax.

In the email it was indicated that an error was found in the STI calculations,

and the recipient is being asked to provide his credit card details in order to receive

Fig 8. Enabling the macro commands in the received document

Fig. 9. An example of encrypted data message

Fig. 10. Password provided in the text of the letter.

Fig. 11. Number of social engineering emails in 2015-2017

19

11 pav. Socialinės inžinerijos tendencijos 2015-2017 m.

10 pav. Pateiktas slaptažodis laiško tekste

2017 m. laiškų, sukurtų naudojantis

socialinės inžinerijos principais, skaičius išaugo

pusantro karto. NKSC, vienoje iš stebimų

institucijų, per metus užfiksavo daugiau kaip

188 500 socialinės inžinerijos požymių turinčių

elektroninių laiškų. Plg.: 2016 m. užfiksuota

106 000, 2015 m. – daugiau nei 37 000

gaunamų socialinės inžinerijos pobūdžio el.

laiškų.

NKSC 2017 m. užfiksavo elektroninių laiškų,

sukurtų remiantis socialinės inžinerijos principais, tikslinį

platinimą. Norime pabrėžti, kad tikrosios institucijų ir organizacijų interneto svetainės ir

informacinės sistemos (žr. žemiau pateiktus pavyzdžius) nebuvo pažeistos, tačiau matomos jų

suklastotos versijos, kuriose naudojami organizacijų interneto svetainių dizaino elementai, spalvos,

logotipai ir vardai.

4.1. Valstybinių institucijų interneto svetainių klastojimas

2017 m. NKSC tyrė keletą socialinės inžinerijos metodais pagrįstų ir inicijuotų

kibernetinių atakų, kurių metu buvo siunčiami laiškai su nuorodomis į suklastotas Lietuvos

valstybinių institucijų internetinės svetaines. Vienas iš pavyzdžių – Valstybinė mokesčių inspekcija

(toliau – VMI). Šiuo atveju buvo stengiamasi pasinaudoti VMI vardu ir išvilioti kreditinių banko

kortelių duomenis, prisidengiant galimybe susigrąžinti mokesčių permoką.

Platinamame elektroniniame laiške buvo nurodoma, kad VMI skaičiavimuose neva įsivėlė

klaida, o gavėjas yra raginamas pateikti savo kreditinės kortelės duomenis permokai susigrąžinti.

Grąžintina pinigų suma pateikta litais, taip pat laiško tekste esančios akivaizdžios gramatinės

klaidos leidžia spėti, kad turinys buvo išverstas automatizuota kalbos vertimo programa (12 pav.).


the excessive tax. The amount of money to be refunded was indicated in former state

currency, moreover, there were obvious grammatic mistakes in the text of the let-

ter suggesting that the text was translated with an automated language translation

program (Fig. 12).

A hyperlink to the fake website was included in the letter. This website used

similar design elements and colours copied from the actual website of the STI (Fig. 13).

Fig. 12. Fake email

Fig. 13. The fake website of the State Tax Inspectorate

When the user submits credit card information, this data is received by the

attackers.


4.2. Stealing the passwords from the employees

of the state institutionsNCSC investigated incidents when the fake letters from computer network

administrators, informing about the updates to mailing system, were sent to the em-

ployees of the public authorities (Fig. 14). The provided link led to a phishing site,

imitating the institution’s email service website (Fig. 15). Passwords provided by the

users were taken over by the attackers.

4.3. Falsification of the bank emails and websitesNCSC investigated cyber-attacks based on social engineering methods

when the emails with the links to the fake websites of the banks operating in Lithu-

ania, were distributed (Fig. 16).

Criminals try to reach users not only via email, but also using short (SMS)

messages (Fig. 17) containing a fake bank information notice and a link to a fake

bank website.

By clicking on the links, presented in the email, the user opens websites

that use design elements, logos and colours of the websites of well-known organi-

zations. An attempt is made to persuade the visitor that it is a real website and to

force him to login with real credentials (Fig. 17, 18). If the visitor provides his login

information (the visitor is asked to provide the secondary authentication factor in an

extra table), it is transmitted to the server of the attacker through the unencrypted

communication protocol (http). Login data could be used to steal money from the

user.

Fig. 14. Fake email from an administrator

Fig. 15. Fake email service website

Fig. 16. An example of social engineering - a fake email

Fig. 17. Fake bank messages


Fig. 18. Phishing website

It should be noted that in order to steal the banking credentials, links to

phishing websites may be sent not only via email, but also by using short text mes-

sages.

4.4. Cyber-attacks against smartphone usersThe variety of cyber-attacks based on social engineering methods is not

limited to emails. As was shown above, links to infected websites or to dangerous

software may also be sent via short text messages (Fig. 19). This may help to infect

smart phones that process a lot of important personal information (personal data,

passwords, geographic location, financial transaction information, audio and video

without the consent of the owner of the device).

Fig. 19. Harmful links are distributed via short text messages


4.5. CEO fraud During the year 2017 NCSC received a lot of reports from representatives

of the organizations regarding the letters impersonating executives and trying to

persuade the staff responsible for financial transactions to make money transfers

into the accounts of the attackers (Fig. 20). Such cyber-attacks are not technically

complex, but before they are organized, detailed information about the target and

its environment (organization’s activities, responsible personnel, agenda, etc.) is col-

lected.

Fig. 21. Typical CEO fraud scenario

It is important to emphasize that corporate executives often fail to comply

with the basic cyber security measures, which are mandatory for other employees

of the organization; therefore it is important to apply cyber security means through-

out the organization. Employees, who may be targeted, should also be informed

about such frauds. Cyber security awareness would be greatly enhanced by regular

training of the staff and exercises on resilience to threats carried out by the company

itself or by trained specialists.

Fig. 20. An example of social engineering. Imitated email address

It is important for the attackers that the employee would make money

transfer as fast and confidential as possible, otherwise the other employees of the

organization may find out about the operation. It is also important for the attackers

to create a stressful situation and to force employees to act in an irrational way. That

is why at that time it is crucial to try to take advantage of the authority of the manag-

er and to create artificial difficulty of contact him. Occasionally, an attempt is made

to force the employee to not follow the established procedures. After the employ-

ee has been convinced, third party may indicate how a money transfer operation

should be performed. Afterwards, the employee transfers money to one or more of

the difficult to trace accounts of the attacker.


5. SPREAD OF MALICIOUS SOFTWARE

NCSC observed the growing trend of spreading malware in the year 2017.

During 2017 NCSC detected and neutralized harmful software more than 450 times

(Fig. 22). Several incidents were investigated where highly advanced spyware soft-

ware was identified. This software is associated with the foreign intelligence services.

The operation of such software has been detected and prevented in several state

institutions of Lithuania.

6. ORGANIZATIONAL AND TECHNICAL REQUIREMENTS ON CYBER SECURITY

On 20th of April in 2016 the Government of the Republic of Lithuania by

the Resolution No. 387 (hereinafter referred to as the Resolution) defined the or-

ganizational and technical requirements for the CII administrators and SIR manag-

ers and administrators. The requirements set by the government de facto obligated

organizations to establish cyber security policy, carry out risk assessments, prevent

hacking, develop the necessary skills for cyber security, define the procedures for

cyber incident management and to implement specific technical measures. The ad-

ministrators and managers of the SIR had to fulfil the organizational requirements

within 4 months from the date the Resolution came into force, i.e. till August 2016,

and technical requirements - within 12 months, i.e. till April 2017. The administra-

tors of the CII had to implement organizational cyber security requirements within

4 months, i.e. till July 2017 and technical requirements - within 12 months, i.e. till

March 2018.

At the beginning of 2018, NCSC conducted a survey with more than 200

questions, in order to assess detailed compliance of SIR administrators and manag-

ers and CII administrators with the organizational and technical requirements for

cyber security. The majority of surveyed subjects represented health and public ad-

ministration sectors (Fig. 23) The most part of respondents indicated that they were

familiar with the requirements indicated in the Resolution, 5% of the respondents

pointed out that they were not familiar with the requirements, whereas a year ago a

survey conducted by NCSC showed that one third of the respondents were unfamil-

iar with this the legal act in the year 2016.

Fig. 22. Malicious software detected by NCSC during 2017 by sectors

During 2017 NCSC with the help of distributed technical sensor tools con-

tinued to monitor for malicious activity. Most of the detected harmful software activ-

ity was in the energy sector (more than 26%), public security and legal order sector

(more than 22% of all cases) and the foreign affairs and security policy sector (more

than 21% of all recorded cases). Spread of harmful software, if compared to the year

2016, has increased in the public security and legal order, foreign affairs and security

policy sectors, while in the energy sector it remained high.


Fig. 23. Organizations which participated in the survey by sector

In 2017 the extent of implementation of organizational requirements for

SIR managers and administrators has increased - all requirements have been imple-

mented by 13% of the subjects, 16% of the subjects implemented more than half

of the requirements, 21% less than half and 50% did not implement the require-

ments or did not provide information to NCSC. Meanwhile, 26% of CII administra-

tors indicated that they had implemented all the organizational requirements. 32%

answered that they had implemented more than a half of the requirements, 13%

less than a half, and 29% did not implement the requirements or did not provide

information (Fig. 24).

Fig. 24. Implementation of organizational requirements by managers and administrators of CII

and SIR

60% of the SIR managers and administrators, who implemented more than

half of the requirements, 51% who have implemented less than half of the require-

ments and 40% of the entities, who did not implement the requirements, indicated

that they had planned to implement the remaining requirements in the future. 75%

of the CII administrators, who implemented more than a half of the requirements,

100%, who have implemented less than a half of the requirements and 18%, who

did not implement the requirements, indicated that they had planned to implement

them in the future (Fig. 25). It could be concluded that the majority of the subjects

who have not implemented the requirements, to a large extent, do not plan to im-

plement them in the future.

Water supply service sector 1%

Industry sector 1%

Food sector 1%

Civil Security Sector 1%

Financial sector 3%

Energy sector 4%

Information technology and electronic communications sector 4%

Transport and postal sector 4%

Environmental sector 7%

Public security and legal order sector 11%

State administration sector 15%

Health sector 24%

Other sectors 24%

Water supply service sector 1%

24%

15%

11%

7%

4%

4%4%

3%1%

24%

{

30

Fig. 24. Implementation of organizational requirements by managers and administrators of CII and SIR

60% of the SIR managers and administrators, who implemented more than half of the

requirements, 51% who have implemented less than half of the requirements and 40% of the

entities, who did not implement the requirements, indicated that they had planned to implement the

remaining requirements in the future. 75% of the CII administrators, who implemented more than a

half of the requirements, 100%, who have implemented less than a half of the requirements and

18%, who did not implement the requirements, indicated that they had planned to implement them

in the future (Fig. 25). It could be concluded that the majority of the subjects who have not

implemented the requirements, to a large extent, do not plan to implement them in the future.

Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement organizational requirements in the future

30

Fig. 24. Implementation of organizational requirements by managers and administrators of CII and SIR

60% of the SIR managers and administrators, who implemented more than half of the

requirements, 51% who have implemented less than half of the requirements and 40% of the

entities, who did not implement the requirements, indicated that they had planned to implement the

remaining requirements in the future. 75% of the CII administrators, who implemented more than a

half of the requirements, 100%, who have implemented less than a half of the requirements and

18%, who did not implement the requirements, indicated that they had planned to implement them

in the future (Fig. 25). It could be concluded that the majority of the subjects who have not

implemented the requirements, to a large extent, do not plan to implement them in the future.

Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement organizational requirements in the future

Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement

organizational requirements in the future


The technical requirements had to be implemented by the organizations

within one year from the date the Resolution came in to force or the CII list was

approved by the Government. NCSC conducted a survey in order to determine the

number of organizations meeting the requirements or how they plan to implement

them in the future (Fig. 26).

Fig. 27. Percentage of CII managers and SIR administrators that are planning to implement the

technical requirements in the future

In the year of 2017, the number organizations, which implemented orga-

nizational requirements showed a positive growth. NCSC carried out a detailed as-

sessment of compliance with the organizational requirements set by the Resolution

in organizations stating that all of the requirements are implemented. All audited

organizations are managing state information resources and critical information in-

frastructure. The evaluation sought to identify the quality of documents forming the

cyber security policy, by defining implementation of the requirements and correla-

tion with the documents and procedures implementing the policy, their integration

with organizations processes. It also sought to identify the problems that organi-

zations encounter from practical side while implementing organizational require-

ments.

To note, institutions that have formally implemented all the requirements

set in the Resolution did not fully integrate them into the organization’s policy doc-

uments, in addition to that implementation of requirements was not defined, trans-

ferring direct responsibility to the employees. Despite the fact that the requirements

were met, processes are not always managed and evaluated, implemented partially.

Organizations defined and implemented the processes of cyber incidents

management, designated the responsible personnel, however, de facto the require-

ment to inform the responsible organizations about cyber incidents are not practi-

cally integrated and formalized.

31

The technical requirements had to be implemented by the organizations within one year

from the date the Resolution came in to force or the CII list was approved by the Government.

NCSC conducted a survey in order to determine the number of organizations meeting the

requirements or how they plan to implement them in the future (Fig. 26).

Fig. 26. Implementation of technical requirements by managers and administrators of CII and SIR

6% of the SIR managers and administrators stated that they had implemented all the

technical requirements. 12% implemented more than a half of the requirements, 17% less than a

half and 65% did not implement the requirements or did not provide information. The Survey

revealed that 13% of CII managers have implemented all the indicated technical requirements, 24%

implemented more than a half of the requirements, 34% - less than a half and 29% - did not

implement the requirements or did not provide information.

Managers and administrators of the CII and SIR, who partially implemented the technical

requirements, indicated that they are planning to implement all the requirements in the future, but

only 6% of SIR and 18% of CII managers and administrators, who have not implemented the

requirements, indicated that they are planning to implement all the requirements in the future. In

conclusion, the most of the entities, that have not implemented the requirements, are not going to do

it in the future. (Fig. 27).

Fig. 26. Implementation of technical requirements by managers and administrators of CII and SIR

6% of the SIR managers and administrators stated that they had imple-

mented all the technical requirements. 12% implemented more than a half of the

requirements, 17% less than a half and 65% did not implement the requirements

or did not provide information. The Survey revealed that 13% of CII managers have

implemented all the indicated technical requirements, 24% implemented more than

a half of the requirements, 34% - less than a half and 29% - did not implement the

requirements or did not provide information.

Managers and administrators of the CII and SIR, who partially implemented

the technical requirements, indicated that they are planning to implement all the

requirements in the future, but only 6% of SIR and 18% of CII managers and ad-

ministrators, who have not implemented the requirements, indicated that they are

planning to implement all the requirements in the future. In conclusion, the most of

the entities, that have not implemented the requirements, are not going to do it in

the future. (Fig. 27).

32

Fig. 27. Percentage of CII managers and SIR administrators that are planning to implement the technical

requirements in the future

In the year of 2017, the number organizations, which implemented organizational

requirements showed a positive growth. NCSC carried out a detailed assessment of compliance with

the organizational requirements set by the Resolution in organizations stating that all of the

requirements are implemented. All audited organizations are managing state information resources

and critical information infrastructure. The evaluation sought to identify the quality of documents

forming the cyber security policy, by defining implementation of the requirements and correlation

with the documents and procedures implementing the policy, their integration with organizations

processes. It also sought to identify the problems that organizations encounter from practical side

while implementing organizational requirements.

To note, institutions that have formally implemented all the requirements set in the

Resolution did not fully integrate them into the organization's policy documents, in addition to that

implementation of requirements was not defined, transferring direct responsibility to the employees.

Despite the fact that the requirements were met, processes are not always managed and evaluated,

implemented partially.

Organizations defined and implemented the processes of cyber incidents management,

designated the responsible personnel, however, de facto the requirement to inform the responsible

organizations about cyber incidents are not practically integrated and formalized.

Organizations point out that the requirements, set by the Resolution, are difficult to

implement due to lack of competence, human and financial resources (Fig. 28). Entities are not yet

able to evaluate the importance of cyber security for their managed information resources and, in

general, cyber security is not considered as a priority area.


Lack of human

resources

Lack of compe-tence

Lack of financial

resources

Organizations point out that the requirements, set by the Resolution, are

difficult to implement due to lack of competence, human and financial resources

(Fig. 28). Entities are not yet able to evaluate the importance of cyber security for

their managed information resources and, in general, cyber security is not consid-

ered as a priority area.

7. RESONATING CYBER INCIDENTS

In the year 2017 there was a number of cyber-attacks that have generated

great interest at the national and international levels.

Cyber-attacks against the media were registered. During these attacks mis-

leading and panic inducing information related to the mission of NATO soldiers was

published. In April BNS system was hacked – fake news about US troops in Latvia

was published. This was done through unauthorized use of the www.bns.lt content

management system’s administrator account.

In May, an international cyberattack attack took place, targeting one and a

half hundred countries’ targets. The WannaCry computer virus, exploiting the Win-

dows security vulnerability in the operating system spread on computer networks

and encrypted data of the users stored in the computers, requested ransom for the

recovery. Organizations from education, health, transport sectors and other import-

ant information infrastructures have suffered in the countries of the European Union.

According to the data of NCSC there were no infected IP-addresses, no state-owned

or critical information infrastructure objects in Lithuania.

Fig. 28. Interaction between the major problems arising from the implementation of organizati-

onal and technical requirements for cyber security

The conducted survey of implementation of the organizational and tech-

nical cyber security requirements has shown that most of the organizations were

aware of the requirements applicable to them, and the tendency for implementa-

tion was improving. After of the assessment of compliance of the organizations that

declare they have implemented all the organizational requirements, it was observed

that the requirements mutatis mutandis are only formally fulfilled and the imple-

mentation of all organizational requirements are practically not guaranteed. It is im-

portant to emphasize that the most of the organizations that have not implemented

the requirements do not plan to implement them in the future.

Fig. 29. Example of WannaCry Virus encrypted data


In June, the same operating system vulnerability was exploited in the

spread of another encrypting virus “NotPetya”.

8. EXERCISEAs the number of cyber-attacks is growing it is particularly important to

respond promptly to the emerging threats, to recognize and prevent them. Cyberse-

curity exercises are one of the best practical tools to help to train employees of the

organizations and security personnel.

In 2017 the national cyber security exercise „Kibernetinis skydas 2017“(Cy-

ber shield 2017) organized by NCSC took place in Lithuania. Training audience con-

sisted of more than 200 IT department managers and cyber security specialists from

more than 50 public institutions, information resource managers, research institu-

tions, energy companies, communications operators and companies trained in cy-

ber incident management and control. Goals of the exercise: to develop co-opera-

tion between SIR and CII managers and investigators of cyber incidents, to develop

the capabilities to stop incidents in SIR and CII, to test the procedures of the National

Cyber Incident Management Plan, to develop the application of skills. In the train-

ing sessions, heads of the institutions and companies trained to manage cyber inci-

dents, to detect vulnerabilities of the systems and remove them in accordance with

the legal cyber security framework established in Lithuania. In the technical part of

the training specialists were trained to manage cyber-attacks in a virtual information

infrastructure created specifically for the exercise. Teams worked from training plac-

es in Vilnius, Kaunas and other cities of Lithuania. During the exercise the cyber inci-

dent management platform for SIR and CII managers (created by NCSC) was tested.

In the year 2017 Lithuania together with Latvia, Estonia and the USA par-

ticipated in international exercises Baltic Ghost 2017. The goal of this exercise was

to strengthen cooperation between the three Baltic States and the United States of

America in the case of dangerous cyber incidents (critical infrastructure protection

in the region, the identification of civilian and military cyber organizations that sup-

port each other in a cyber crisis, and the most effective ways and means of exchang-

ing information) to control which common high-level procedures are necessary.

The Lithuanian representatives participated in NATO-hosted exercise Cyber

Coalition 2017. The goal of this exercise was to check the effectiveness of NATO’s

response and information exchange during cyber-threats.

In the second quarter of 2017 Lithuania participated in the annual inter-

Fig. 30. Example of data encrypted by “NotPetya” virus

The virus has mostly spread in the computer systems of Eastern Europe.

According to CERT-LT data, five cases of information system damages were detected

in Lithuania, disrupting business activities and causing losses .4 NCSC did not register

related incidents in the SIR or CII.

NCSC points out, that operating systems of servers and workstations, used on the

network of organization, should be updated on time (as soon as the manufacturer issues

security patches). If the used systems are not supported by the manufacturer, their access

to the internet should be limited and security should be enhanced by additional means.

For protection against these types of attacks, it is recommended to regular-

ly backup important data, which should be stored separately and be not accessible

from the environment of employees.

NCSC notes that the payment of a ransom does not guarantee the recovery

of data, therefore it is not recommended to carry out requested money transfers.

A copy of the encrypted data can be saved hoping that decryption keys will

be publicly available in the future.5

4 Activity report for the year 2017 of the National Electronic Communication Networks and Information Security Investigation Division of the Republic of Lithuania. https://www.cert.lt/doc/2017.pdf

5 https://www.nomoreransom.org/


national cyber security exercise Locked Shields 2017 organized by NATO Cooper-

ative Cyber Defence Centre of Excellence. During the exercise, the teams became

targets who are also supervising military air force networks and are suffering from

the attacks on electricity distribution grid, command and control systems and crit-

ical information infrastructure. Locked Shields 2017 was the largest international

cyber security exercise based on scenarios, technologies used and the number of

countries involved. Over 2 500 different types of attacks have been prepared for the

participants and more than 3 000 virtual systems have been used. The exercises took

place in simulated cyberspace in real time, involving over 800 professionals from 25

countries6.

6 https://ccdcoe.org/locked-shields-2017.html

CONCLUSIONS, RECOMMENDATIONS AND PROGNOSIS

ConclusionsThe situation of cyber security in Lithuania slightly improved in 2017 com-

pared to 2016. However, there is not enough effort invested into cyber security, in

relation to the growth of cyber threats. The main reasons that allowed making this

assumption are:

1. An improvement in compliance with organizational and technical cyber

security requirements in the state information resources and critical infor-

mation infrastructure shows growing attention from organizations towards

cyber security. On the other hand, regulations are implemented ad hoc,

fragmentary and formally, while an increasing amount of incidents sug-

gests that organizations do not implement appropriate tools to remove the

known vulnerabilities and deter threats.

2. An increase in the reconnaissance of electronic communication network

(including industrial control systems), also the increasing amount of mal-

ware points to insufficient abilities of organizations to protect themselves

against the threats and ensure the adequate level of protection and resis-

tance.

3. The total amount of cyber incidents processed by NCSC reached 54 950,

including public and private sectors, which is 10% higher if compared to the

year 2016. These statistics points to a possible challenge for the electronic

environment of Lithuania, citizens, public sector and businesses.

4. The growing number of social engineering based cyber-attacks shows that

gullible and lack of awareness and knowledge by the users and employees

of the organizations is still one of the main cyber security vulnerabilities.

5. Improving capabilities of NCSC and expanding monitored space allowed

detecting more malware, undetectable by other tools. However, organiza-


tions still reluctantly report cyber incidents found in their networks, are not

prone to share information and threat indicators.

6. Ever changing cyber security state of the Lithuania’s public sector websites

shows that software is not updated in time and organizations struggle en-

suring their website cyber security. Moreover, when purchasing website

hosting and administration services they do not include requirements to

ensure compliance to cyber security regulations in the purchasing con-

tracts.

Recommendations

• In order to ensure greater maturity of organizations in solving cyber-se-

curity issues and preventing cyber threats, it is recommended completely

implement the organizational and technical requirements for cyber secu-

rity set by the Government. Seeking to avoid formal requirements imple-

mentation NCSC recommends planning material and human resources for

cyber security.

• In order to ensure fluent management of cyber incidents, NCSC re-

commends approving the procedures defining cyber incident manage-

ment, collecting information and informing the competent authorities in

accordance with the organizational and technical cyber security require-

ments set by the Government.

• NCSC recommends the use of technical and organizational measures for

strict control of the equipment and software allowed to be part of an or-

ganization’s internal network (application identification, unauthorized

software restriction) when developing the basics of cybernetic security of

computer networks. Careful configuration and standardization of security

settings for the devices and software used by the organization is one of

the cores of network security. Taking into consideration the technical fea-

tures of the incidents observed by NCSC, it is important to emphasize that

continuous maintenance of the software used by the organization and the

implementation of security updates is a critical process to protect against

emerging new cyber threats. In case of the need for remote communication

between elements of the organization’s network, it is important to ensure

that communication in the public domain is further protected by encrypti-

on technologies. It is important to strictly control the allocation and use of

administrator privileges, to apply technical measures to restrict computer

users’ potentially harmful actions. Taking into consideration the growing

number of viruses requiring ransom, we propose to apply reliable and veri-

fied measures to make and store back-up data of critical importance.

• NCSC emphasizes that enhancing the ability of the organizations to iden-

tify cyber-attacks based on social engineering is vital in enhancing orga-

nizations’ resilience to cyber threats. This can be achieved by regular trai-


ning of employees, checks on resilience to intrusions, imitating malicious

actions, and, if necessary, or in the absence of competence, to use external

expertise.

• NCSC notes that in order to improve user awareness and the ability to iden-

tify cyber threats, users should be informed and aware that the address

of the sender of the incoming email can be forged (so it should not be

always trusted); to pay attention to the grammatical mistakes in the sen-

tences (the text is translated into Lithuanian through automatic means);

users should not be in a hurry to open the attachments of the letter and

the links provided – they should think whether the sender is known, were

they waiting for the letter; the user can check the link by hovering the mo-

use pointer over the sent link, - an informational message is automatically

displayed (Fig. 31); to pay attention to the subject of the letter, be careful of

sensational headlines, should not believe in easy financial gain or material

benefits, the presentation of passwords in the body of the letter; the users

should be fully aware that nobody has the right to ask for their passwords,

so each request (on behalf of the administrator or on behalf of the law en-

forcement) should cause suspicion. In order to protect personal data and

stored information, only legitimate commercial or open source software

should be used on the computers (malicious code is often added to ille-

gal software), protective measures should operate properly (many security

products allow home users to use free versions of their programs).

example, the virtual private network). Additional security measures should

be used (web application firewall), strict control of the accounts with admi-

nistrative rights, use of sophisticated and regularly changed access pass-

words, regular audit of logs and, if necessary, purchase of DDoS protection

services. Organizations may indicate the need for security measures in the

terms of purchased hosting service agreement.

Fig. 31. A link to a malicious website

• In order to protect publicly accessible systems or websites from intrusion

and illegal alterations to content, organizations should periodically upda-

te the software used in their servers, restrict access to the administration

interface (for example, access control lists). The remote administration of

the website should be done through a trusted communication channel (for

| 48 | N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7

PrognosisTaking into account the trends of global and Lithuanian cyber threats,

NCSC predicts that in 2018 the security vulnerabilities will be hunted in the infor-

mation resources and critical information infrastructures of Lithuania. Interest in the

technological processes and connected to the internet devices will continue to grow.

It is anticipated that social engineering methods will become more and

more modern; there will be a lot of cases when targeted cyber-attacks will be carried

out. Due to insufficient awareness of the users, the number of successful cyber-at-

tacks of this kind will increase in the future.

Taking into consideration that awareness of the users on cyber threats is

low, cyber-security measures that are necessary to ensure cyber-security are not in-

stalled in time and the number of viruses encrypting data is increasing, it is antici-

pated, that the number of successful attacks of this kind will increase in the future.

The growing number of sophisticated malicious software in 2017 allows as-

suming that in 2018 more and more of the unknown vulnerabilities will be exploited.

The foreign affairs and security policy, energy, public security and legal order sectors

will continue to be the main targets of well-focused cyber-attacks.

Relying on the recent trends in cyber threats, NCSC notes the need to de-

velop the basis of cyber security expertise in the public sector, accumulate knowl-

edge and develop skills, to plan the resources adequately in order to reduce the risk

of cyber security threats.

Date post:	11-Mar-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

NATIONAL CYBER SECURITY STATUS REPORT FOR THE YEAR 2017 · SIR and CII on cyber security issues, to...

Documents