N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
NATIONAL CYBER SECURITY CENTRE UNDERTHE MINISTRY OF NATIONALDEFENCE
NATIONAL CYBER SECURITY STATUS REPORT
FOR THE YEAR 2017
| 2 | | 3 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
CONTENTSINTRODUCTION | 4
SUMMARY | 6
1. CYBER ATTACK THREAT MAP OF THE REPUBLIC OF LITHUANIA | 81.1. Usage of cyber security software in Lithuania | 9
1.2. Annual statistics on cyber security events of the networks of SIR
and CII managed by NCSC | 10
1.3. Disruption of electronic services | 11
1.4. Threat level of cyber incidents | 12
1.5. Statistics on cybercrime incidents in other sectors | 13
2. ELECTRONIC COMMUNICATION NETWORKS RECONNAISSANCE | 15
3. VULNERABLE INTERNET WEBSITES | 18
4. CYBER INCIDENTS AND SOCIAL ENGINEERING | 224.1. Falsification of the websites of public authorities | 22
4.2. Stealing the passwords from the employees of the state institutions | 26
4.3. Falsification of the bank emails and websites | 27
4.4. Cyber-attacks against smartphone users | 29
4.5. CEO fraud | 30
5. SPREAD OF MALICIOUS SOFTWARE | 32
6. ORGANIZATIONAL AND TECHNICAL REQUIREMENTS
ON CYBER SECURITY | 33
7. RESONATING CYBER INCIDENTS | 39
8. EXERCISE | 41
CONCLUSIONS, RECOMMENDATIONS AND PROGNOSIS | 43Conclusions | 43
Recommendations | 45
Prognosis | 48
| 4 | | 5 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
INTRODUCTIONThe National Cyber Security Centre under the Ministry of National Defence
(hereinafter referred to as NCSC) started its activity on the 1st of January 2018, when
the updated Cyber Security Law of the Republic of Lithuania (No. XII-1428 of 11 De-
cember 2014) came into force. NCSC implements the cyber security policy and per-
forms the activities of the State Information Resources (hereinafter referred to as SIR)
and Critical Information Infrastructure (hereinafter referred to as CII1 ) cyber incident
management, prepares and submits proposals to the Minister of National Defence
regarding the organizational and technical requirements for cyber security applied
to SIR and CII, performs monitoring of compliance of these entities with the organi-
zational and technical requirements applicable to the cyber security. NCSC has the
duty to provide advice and recommendations to the owners and management of
SIR and CII on cyber security issues, to analyse the national cyber security situation
and to prepare reports on status of the national cyber security. One of the tasks of
NCSC is to ensure that CII management would have cyber defence plans and would
be able to carry them out.
In 2017 the Global Cyber Security Capacity Centre at the University of Ox-
ford made cyber security maturity assessment of Lithuania following the Cybersecu-
rity Maturity Model. After the assessment of the cybersecurity policy and strategy,
culture and society, education and training, regulatory framework, standards, orga-
nizations and technologies - the maturity of Lithuanian cyber security was rated as
“established”. Since 1st of January 2018 the consolidation of cybersecurity and elec-
tronic communications network security units and functions has been implemented
in order to enhance national cyber security capabilities and to ensure fulfilment of
the duties regulated by the law. NCSC started to act as a separate legal entity under
the Ministry of National Defence (hereinafter referred to as the MoND), after team-
ing up the cyber security specialists of the Cyber Security and Telecommunications
Services under the MoND (from 1 January 2018 - Information Technology Service
at the MoND), Government Communication Centre under the MoND and Security
Investigation Unit of the Communications Regulatory Authority. Integration of the 1 The Critical Information Infrastructure (CII) in the Law on Cyber Security is defined as an in-
formation infrastructure managed by a private or public administration entity where a cyber incident can seriously harm national security, the economy of the country, the interests of the state and society
functions and capabilities of NCSC and security incident investigation subdivision of
the Communications Regulatory Authority allowed the concentration of the cyber
security capabilities at the national level.
In 2017 NCSC continued installation of technical measures in the infra-
structure managed by the owners and operators of the CII and SIR in order to ensure
monitoring of cyber security status. Broadening of the monitored space has yielded
tangible results - more than four hundred cases of harmful software activity (which
cannot be detected by the standard security measures) have been detected and
neutralized.
| 6 | | 7 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
SUMMARYNational Cyber Security Status Report for the year 2017 is prepared and
submitted to the Minister of National Defence by NCSC in accordance with the ne-
cessity indicated in section 6 part 2 article 10 of the Law of the Republic of Lithuania
on Cyber Security (hereinafter referred to as the Law). The status of cyber security is
evaluated taking into consideration the dominant cyber security threats and capa-
bility of the country to resist them. The report is prepared in conformity with the data
collected by the technical monitoring measures of NCSC, information presented by
the organisations and information received from the other sources.
The intensification of the reconnaissance of the electronic communications
networks of SIR and CII was observed in 2017. It has also been noticed that industrial
control system devices that operate in technological processes and have an inter-
net connection were also more often scanned, while cyber-attacks2 directed against
these devices can lead to physical consequences when the impact of technological
and industrial processes would disrupt the daily activities of the population and ser-
vices provided by the operators.
NCSC observed a growing number of cyber incidents - malware-based soft-
ware was distributed, mostly using cyber-attacks based on social engineering princi-
ples against human factors. The spread of harmful software, as compared to the year
2016 has increased in the areas of public security and legislation, foreign affairs and
security policy. The spread of harmful software in the energy sector remains high.
Large-scale of Distributed Denial of Service (DDoS) incidents were not ob-
served at national level, as it was during the year 2016, but the overall trend of these
types of attacks remained unchanged. Cyber-attacks of an average threat level are
usually carried out in Lithuania, i.e., the methods of the attacks and technologies are
not very advanced. However, NCSC periodically detects technically extremely com-
plex cyber-attacks. On the other hand, global cyber-attacks (WannaCry, NotPetya)
did not affect SIR and CII of Lithuania.
The National Unit for the Investigation of Electronic Communication Net-
works and Information Security Incidents CERT-LT which carried out activities at the
Communications Regulatory Authority of the Republic of Lithuania in 2017 pro-2 Cyber-attack is any type of malicious activity in cyberspace targeting electronic communica-
tions goals, information systems or industrial process management systems
cessed 54 414 incidents. A tenth more cyber incidents in public communications
networks were registered compared to the year 2016 (49 463 cases). The biggest
cyber security issues in the private sector in the year 2017 were malware and unsafe
information systems, including websites.
The total number of incidents processed by the cyber incident investiga-
tion units was 54 950, both in the public sector and in the private sector in general.
Statistics on such incidents signalize a major challenge to cyber security in the Lithu-
anian electronic environment, citizens, the public sector and business.
After evaluation of the vulnerability of the Lithuanian public sector web-
sites, it was found that in the year 2017 the number of vulnerable websites that could
be breached by only exploiting the already known vulnerabilities has increased. Or-
ganizations continue to avoid updating their software (used for the websites) on
time; purchase of website support and administration services generally does not
include cyber security obligation in the contracts.
NCSC observed a growing amount of state information resource managers
and administrators, critical information infrastructure managers implementing or-
ganizational and technical cyber security requirements (positive progress) – some
organizations have developed or updated documents regarding security policy es-
tablishment and implementation, installed technical measures to enhance cyber se-
curity in the organization. The number of SIR administrators and managers who par-
tially implemented the organizational requirements approved by the Government
increased by 47% in the year 2017, while the number of those who implemented
all requirements increased by 11, 5%. Concerns of the organizations over cyber-se-
curity are noticeable and for the most part organizations are planning to meet all
the requirements in the future. However, most of the entities failed to meet all the
organizational and technical requirements for cyber security set by the Government
in time.
| 8 | | 9 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
1. CYBER ATTACK THREAT MAPOF THE REPUBLIC OF LITHUANIA
NCSC observed threats and tendencies in cybersecurity status which could
potentially cause the greatest damage to the Lithuanian cyber-security in the year
2017. (Fig. 1).
the spread of malicious software;
vulnerable websites;
social engineering;
reconnaissance of electronic communication networks;
denial of electronic services;
implementation of organizational and technical requirements for cyber security in SIR and CII.
Fig. 1. Cyber security threats and their tendencies which emerged in 2017 compared to 2016.
During the year 2017 malicious software was spreading rapidly. The num-
ber of vulnerable websites and reconnaissance inquiries in electronic communica-
tions networks increased, use of social engineering methods in cyberspace was more
often. Large scale distributed denial of service (DDoS) incidents were not observed
at the national level, as it was during the year 2016, but the overall trend of these
types of attacks remained unchanged. The level of implementation of organization-
al and technical cyber security requirements among CII and SIR has improved. The
assumptions of NCSC are confirmed by the data of CERT-LT (now part of NCSC) of the
year 2017 in accordance to which the greatest threats to cyber security in Lithuania
were malware and unsafe information systems, including the websites. NCSC points
out that these two threats correlate, i.e. poorly protected websites are breached by
abusing their vulnerabilities and used to carry out further malicious activities (for
i.e. spread malware). Malicious code or redirection links to the websites distributing
malicious code may be added to the overtaken websites, which aims to infect visit-
ing users’ computers with the viruses that encrypt data or use it’s resources to mine
cryptocurrency.
1.1. Usage of cyber security software in LithuaniaEnd point equipment with access to the Internet is the most vulnerable
part of the information systems of the organisations. Cyber security software (here-
inafter referred to as the software) helps to prevent threats, but with all the priv-
ileges, including the ability of access from the external entities, is most often not
controlled itself.
While assessing the state of cyber security in public sector institutions in
Lithuania, NCSC also identified the most commonly used security software (mostly
stopping the harmful code from executing) and its country of origin. Over 700 re-
spondents were interviewed. CII managers, the Lithuania’s state institutions, com-
panies and other organizations which manage information resources of the state
participated in the survey.
According to the survey, most often used software is created in the US – 49,
18%. Other software originated in Slovakia – 12, 45%, Czech Republic – 11, 53%.
Cyber security software produced in Russia is used by 4, 89% of the respondents
(Fig. 2).
Fig. 2. Overall distribution of the software in Lithuania according to the country of origin of the
software
| 10 | | 11 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
NCSC notes that software and hardware used for cyber security is only a
part of the tools that provide cyber security solutions. Education and increase of
awareness of the organisation’s employees and computer users on the issues of
cyber security is extremely important. Furthermore, additional cyber threats may
emerge in the networks of the organizations, because of the uncontrolled activities
of the contractors and subcontractors. Because of these reasons it is important to en-
courage organizations to assess and improve cyber security of the state, taking into
account their internal organizational environment and to implement the organiza-
tional and technical requirements for cyber security established by the Government.
1.2. Annual statistics on cyber security events
of the networks of SIR and CII managed by NCSCDuring the year 2017, NCSC registered 8 cyber incidents of high importance
and 528 incidents of medium importance. Most incidents of medium importance are
related to the malware activity. For comparison 489 incidents of high and medium
importance were registered in 2016.
According to the data recorded by NCSC, it could be concluded that the
number of registered cyber incidents in Lithuania is increasing.
1.3. Disruption of electronic servicesOne of the most popular cyber-attacks against electronic services is Distrib-
uted Denial of Service, (hereinafter referred to as DDoS), which aims to influence the
availability of electronic services and servers.
NCSC investigated a large-scale DDoS attack against one of the SIR manag-
ers: the cyber-attack was targeted at the health sector website, while also attacking
other subjects in the same IP range. TCP SYN Flood traffic was directed to the website
of the organization from more than 10 000 IP addresses. The incident is classified as
a medium importance cyber incident.
NCSC points out that, according to various sources, there is an increase in
the number of attacks against the equipment from the Internet of Things (IoT), cap-
ture and exploitation of it for DDoS attacks. In the year 2017, CERT-LT observed 24
612 devices with security vulnerabilities (20 690 devices in 2016)3.
NCSC notes that security measures should be synchronized and imple-
mented in the infrastructure of a service provider.
3 The National Electronic Communications Networks and Information Security Investigation Division of the Republic of Lithuania activity report for 2017. https://www.cert.lt/doc/2017.pdf
Group Category I quarter
II quarter
III quarter
IV quarter
Total No of incidents:
Malicious software
High importance 1 0 4 1 6
Medium importance 97 81 134 180 492
Hacking
High importance 0 1 0 1 2
Medium importance 0 1 1 0 2
CIS *disturbance
High importance 0 0 0 0 0
Medium importance 0 1 0 0 1
Violation of integrity
Medium importance 28 0 2 3 33
Total No of incidents: 126 84 141 185 536
Table 1. Incidents of high and medium importance registered by NCSC in 2017
* CIS – communication and information systems
| 12 | | 13 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
1.4. Threat level of cyber incidentsIn order to determine the threat level of cyber-attacks which took place in
2017, NCSC performed an analysis and evaluation of medium to high-level cyber
incidents in order to determine the malicious software used for attacks, possible cul-
prits, motives, intentions, sophistication of technological attacks, and other factors
that shows the level of the threats.
For the most part, carried out cyber-attacks are usually of the medium
threat level, i.e. methods and technologies of the attacks are not very advanced (Fig-
ure 3). Nevertheless, NCSC periodically detects technically complex, continuous and
targeted cyber-attacks, the purpose of which is to infiltrate specific systems and pro-
ceed with the exfiltration of information.
1.5. Statistics on cybercrime incidents in other sectorsIn the year 2017, the National CERT-LT investigation unit processed 54 414
incidents based on reports received from the Lithuanian electronic communications
service providers, foreign CERT services conducting international incident investi-
gations and the Internet users from Lithuania. Compared to the year 2016 (49 463
cases) there were recorded a tenth more cyber incidents.
Table 2. Incidents analysed by their types by CERT-LT in 2017
Figure 3. Total average of the threat assessment of cyber incidents examined by NCSC in 2017
0
1
2
3
4
5
6
The complexity ofreconnaissance technique
Attack vectors
Exploitation ofvulnerabilities
Malware capabilities
Trace hiding method level
Type and quantity ofaffected targets
Innovation level
Duration of undetectedoperation
Motives
Intent
Capacity level of anattacker
Impact
Types of processed incidents
The year 2017
I q. II q. III q IV q. Total:
About malicious software
2 580 2 755 2 898 2 606 10 839
About taking over the information systems
2 962 2 775 2 704 2 510 10 951
About E-service interruptions
12 7 11 20 50
About E-data falsification
340 376 257 264 1 237
About integrity violations
2 7 4 2 15
About device security flaws
5 848 5 938 6 464 6 362 24 612
Various 2 899 1 672 943 1 196 6 710
According to the 2017 statistics, there are two major cyber security issues
in Lithuania: malware (malicious code) and unsafe information systems, including
websites. These security issues complement each other and increase the potential
risk to Internet users. According to the data of CERT-LT about 3 000 computers were
remotely managed unknowingly to the owners in Lithuania during 2017.
There were 10 951 incidents of overtaking the information systems during
2017 (during 2016 there were 10 673 incidents). These types of incidents include ma-
licious software and breached websites. On average CERT-LT registers 10 new over-
taken web sites every day. Since autumn, the number of overtaken websites used
for mining cryptocurrency is increasing. As the cryptocurrencies are getting more
popular, the creators of ransomware are also getting more active. Both the individual
| 14 | | 15 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
users and the companies suffer from this type of threat. During 2017 there were 10
839 (in 2016 – 11 212) incidents related to ransomware. 2. ELECTRONIC COMMUNICATION NETWORKS RECONNAISSANCE
One of the most common, easiest and relatively most effective cyber re-
connaissance tools during 2017 remained scanning the ports of network devices.
Port scanning may not necessarily be carried out to achieve malicious intent, but
this reconnaissance method is still one of the first steps to gather information about
the specific types of equipment, services and protocols, software and other potential
vulnerabilities for subsequent cyber-attacks. In the year 2017 the number of port
reconnaissance cases increased. Compared to the year 2016 interest in the 23rd port
increased (this port is used for Telnet protocol, unencrypted communication).
By comparing port scan statistics of NCSC with the most up-to-date data
on attacked ports provided by CERT-LT, it can be stated that the same ports are com-
monly scanned in both - the public and private sectors – 23, 22, 445, 1433.
Figure 4. The main types of incidents in the private sector in 2017
The distribution of false emails, which are imitating the head of the compa-
ny where the subordinate is asked to carry out the financial operations (CEO fraud)
continues to grow. During the year of 2017 there was an increase in the number of
falsification of the popular websites: CERT-LT investigated 1 237 cases of phishing. In
comparison during 2016 the number was 555. Fake websites are created in order to
make profit. During 2017 emails and short messages containing a link to the bank’s
fake website were still very popular.
13% Various incidents
45% Device security vulnerabilities
2% E-data falsification
20% Compromised system
20% Malware
45%
13%
20%
2%
20%
Figure 5. Port scan statistics in the networks monitored by NCSC during 2017
During the year 2017 NCSC paid particular attention to the ports used for
technological processes and their reconnaissance: the number of scans is increasing
and correlates with the scan statistics of other ports.
| 16 | | 17 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
The monitored ports are related to the devices, such as programmable logic
controllers, which can control specific technological processes capable of generating
kinetic effects (for example, such equipment can be used to control water treatment
plants, control power supply, distribution, transport control systems, etc.).
The cyberspace monitored by NCSC is being scanned from different territo-
ries. It is important to emphasize that IP addresses in accordance with the scanning
statistics only specify the geographic location of the final scanning facilities. The real
scanning entities may use intermediate connections to connect to these devices, so
their actual geographic location based on the primary data cannot be determined.
In most cases, the range of Lithuania is scanned (including search of ports
used in industrial networks) from the territories of the following countries: the United
States of America, Russia and China. It should be noted that more than a half of the
devices operating on industrial networks, that are being searched for, use BACnet,
ModBus, Niagara Tridium Fox and Siemens S7 protocols (Table 3). One-third of the
IP addresses from which NCSC monitored cyber-space was scanned are described as
malicious addresses by various sources.
Industrial process control devices operating on specific networks are often
connected to the terminal equipment with an Internet connection. End point devic-
es are not updated on time due to the specifics of compatibility or of high prices. As
a result, the risk of cyber-attacks targeting industrial networks is increasing, so it is
important to ensure that information systems that control the industrial processes
do not have Internet connectivity or should be additionally protected with commu-
nication encryption.
No Title %
1. BACnet 20,72. Modbus 15,43. Niagara Tridium Fox 12,84. Siemens S7 9,05. EtherNet/IP 8,26. DNP3 6,37. Mitsubishi Electric MELSEC-Q 5,08. Omron FINS 4,99. PCWorx 3,6
10. HART-IP 3,211. ProConOS 2,912. Red Lion Controls Crimson V3 2,813. Codesys 2,614. GE Industrial Solutions-SRTP 2,215. IEC 60870-5-104 0,3
Table 3. Reconnaissance of the equipment used in technological processes by protocols and/or
equipment manufacturers in 2017.
| 18 | | 19 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
3. VULNERABLE INTERNET WEBSITES
Usually organizations publish information about their activities and pro-
vided services on the websites. It is important to emphasize that the organizations,
depending on the range of the services provided, use different means of information
technology of various complexity, therefore purchase and maintenance of the ser-
vices are funded differently; accordingly the quality is often not assessed in accor-
dance with security criteria.
Organizational websites are accessible by specific domain names, which in
the online register of the names are linked to the IP addresses of the website hosting
service (hereinafter referred to as HS). The software on the HS side processes the re-
quests received and passes the information to the requesting entity. A cyber-attack
in this case may be manipulation and creation of atypical work conditions by pro-
voking disruptions within the HS software and hardware components, creating the
possibility to affect the components of a website and the integrity, confidentiality
and availability of information.
The HS Software (hereinafter referred to as the software) consists of: op-
erating systems (hereinafter referred to as the OS), website broadcasting service,
hypertext interpreter, content management system (hereinafter referred to as the
CMS) and other additional network services such as e-mail, data exchange or re-
mote administration programs. The flaws in the software are periodically discovered
– exploitation of these vulnerabilities during an attack may lead to the disruption
of service, possibility to upload harmful program code, gain access to the data frag-
ment, possibility to modify data or influence the program and the functioning of the
website.
Malicious code is uploaded to the affected sites in order to distribute it,
intentionally infect visitors of the website; to exploit these websites as intermediate
proxies for the other attacks.
In order to determine the security level of the websites and changes over
time in 2017, NCSC carried out two security evaluations of the websites. According to
the initial list of websites, approximately 1200 public sector websites were tested. The
study was performed on the basis of statistical modelling, analysis of the information
sent by the server during normal site browsing (GET request HTTP header banner),
technical data from public catalogue databases and information received by the pas-
sive scanning tools about website hosting servers and website broadcasting software.
The network services operating on TCP/IP protocol ports 80, 443 were evaluated.
Fig. 6. The state of cybersecurity of the public sector websites in 2016-2017. *
Difficult to hack 48%
Easy to hack 34%
Very easy to hack 18%
Difficult to hack 25%
Easy to hack 52%
Very easy to hack 23%
Difficult to hack 48%
Easy to hack 34%
Very easy to hack 18%
Difficult to hack 25%
Easy to hack 52%
Very easy to hack 23%
2016
201725%
48%
52%
34%
23%
18%Difficult to hack 48%
Easy to hack 34%
Very easy to hack 18%
Difficult to hack 25%
Easy to hack 52%
Very easy to hack 23%
* Very easy to hack - technical knowledge or special programming skills are not required. Suc-cessful attacks are easily reproduced, the instructions for necessary actions are easily found on the internet.
Easy to hack – there is a need for necessary skills and knowledge, usually published in closed groups.
Difficult to hack – there is a need for deeper knowledge and skilled specialists, vulnerabilities are not yet publicly available.
| 20 | | 21 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
The study showed that during the year 2017 23% of the checked public sec-
tor websites may be disrupted by low qualification, 52% by medium and 25% by highly
skilled intruders. In the year 2016 nearly one-fifth of the websites (18%) could be hacked
with no specific technical knowledge or special programming skills, up to 34% of the web-
sites could be hacked with the appropriate level of skill and knowledge, while 48% sites
were relatively safe - only highly qualified specialists could potentially hack it. (Fig. 6).
Usually, websites are exploited through HS Software, security vulnerabili-
ties of CMS and its plugins, insufficient HS security configuration, misuse of adminis-
trative privileges and access, very easy to guess or default passwords.
In the year 2017 it became very popular to exploit websites and use them
to generate cryptocurrencies, using computers of website visitors to do the mining
calculations. Visitors, who opened the infected website, unknowingly enabled the
malicious code, which starts the cryptocurrency mining process in the name of the
intruders of the website. It was noticed that in certain cases, the code for crypto-
currency generation also could have been uploaded by the owners of the websites
themselves.
When comparing the data of 2015 - 2017 (2016 positive website security
trend was observed), it can be seen that during the year 2017 the number of web-
sites that are very easy to hack slightly increased (23%), the number of websites that
were easy to hack increased the most (from 34% to 52%) and the number of websites
that were difficult to hack compared with the year 2016 decreased (to 25%) (Fig. 7).
In general, it can be said that the security state and resilience of the web-
sites of the public sector became worse in 2017. This conclusion is confirmed by
CERT-LT study performed in 2017, according to which about 70% CMS of websites
are outdated.
In order to protect publicly accessible systems or websites from being ex-
ploited, it is necessary to regularly update the software used on the servers, restrict
access to the administration interface (for example, through access control lists), use
additional security measures (such as firewalls for web applications), strictly con-
trol accounts administration privileges, use of complex and regularly changed pass-
words, periodically audit logs.
Fig. 7. The change of vulnerability of the websites according to the hacking complexity during
2015-2017
| 22 | | 23 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
4. CYBER INCIDENTS AND SOCIAL ENGINEERING
Social engineering techniques are used to manipulate emotions of people
and to use psychological effects to force users to conduct potentially harmful actions
(click links, open websites, download files, enable malicious code, reveal personal
or login details). The most popular methods – Phishing and Baiting – are used to
obtain information for further cyber-attacks, to spread malware in the networks of
organizations. For example, after opening a document sent via e-mail and enabling
macro commands (Fig. 8), a malicious payload is downloaded to the workstation.
Code encrypts user’s data and then asks the user for a ransom (Fig. 9). The malicious
.docx, .xlsx or .pdf documents are being sent most often. In order to avoid security
checks, these files are often archived, and the password is provided to the user in the
text of the message sent (Fig. 10).
The number of letters created using social engineering principles has in-
creased by one and a half times during 2017. NCSC registered over 188.500 social
engineering emails per year in one of the monitored institutions. During 2016 the
number was 106.000, in 2015 - more than 37.000.
NCSC observed the targeted distribution of emails created using social en-
gineering principles in the year 2017. It should be emphasized that the actual web-
sites and information systems of the institutions and organizations (see examples
below) have not been hacked, but their fake versions, which uses the design ele-
ments, colours, logos and names are shown.
4.1. Falsification of the websites of public authoritiesIn the year 2017, NCSC has investigated several cyber-attacks initiated and
based on social engineering methods. During these attacks the letters were sent
with the links to fake websites of the state institutions. One example is the State Tax
Inspectorate (hereinafter referred to as the STI). Efforts were made to use the name
of the STI to get the credit card data, while pretending to return the excessive tax.
In the email it was indicated that an error was found in the STI calculations,
and the recipient is being asked to provide his credit card details in order to receive
Fig 8. Enabling the macro commands in the received document
Fig. 9. An example of encrypted data message
Fig. 10. Password provided in the text of the letter.
Fig. 11. Number of social engineering emails in 2015-2017
19
11 pav. Socialinės inžinerijos tendencijos 2015-2017 m.
10 pav. Pateiktas slaptažodis laiško tekste
2017 m. laiškų, sukurtų naudojantis
socialinės inžinerijos principais, skaičius išaugo
pusantro karto. NKSC, vienoje iš stebimų
institucijų, per metus užfiksavo daugiau kaip
188 500 socialinės inžinerijos požymių turinčių
elektroninių laiškų. Plg.: 2016 m. užfiksuota
106 000, 2015 m. – daugiau nei 37 000
gaunamų socialinės inžinerijos pobūdžio el.
laiškų.
NKSC 2017 m. užfiksavo elektroninių laiškų,
sukurtų remiantis socialinės inžinerijos principais, tikslinį
platinimą. Norime pabrėžti, kad tikrosios institucijų ir organizacijų interneto svetainės ir
informacinės sistemos (žr. žemiau pateiktus pavyzdžius) nebuvo pažeistos, tačiau matomos jų
suklastotos versijos, kuriose naudojami organizacijų interneto svetainių dizaino elementai, spalvos,
logotipai ir vardai.
4.1. Valstybinių institucijų interneto svetainių klastojimas
2017 m. NKSC tyrė keletą socialinės inžinerijos metodais pagrįstų ir inicijuotų
kibernetinių atakų, kurių metu buvo siunčiami laiškai su nuorodomis į suklastotas Lietuvos
valstybinių institucijų internetinės svetaines. Vienas iš pavyzdžių – Valstybinė mokesčių inspekcija
(toliau – VMI). Šiuo atveju buvo stengiamasi pasinaudoti VMI vardu ir išvilioti kreditinių banko
kortelių duomenis, prisidengiant galimybe susigrąžinti mokesčių permoką.
Platinamame elektroniniame laiške buvo nurodoma, kad VMI skaičiavimuose neva įsivėlė
klaida, o gavėjas yra raginamas pateikti savo kreditinės kortelės duomenis permokai susigrąžinti.
Grąžintina pinigų suma pateikta litais, taip pat laiško tekste esančios akivaizdžios gramatinės
klaidos leidžia spėti, kad turinys buvo išverstas automatizuota kalbos vertimo programa (12 pav.).
| 24 | | 25 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
the excessive tax. The amount of money to be refunded was indicated in former state
currency, moreover, there were obvious grammatic mistakes in the text of the let-
ter suggesting that the text was translated with an automated language translation
program (Fig. 12).
A hyperlink to the fake website was included in the letter. This website used
similar design elements and colours copied from the actual website of the STI (Fig. 13).
Fig. 12. Fake email
Fig. 13. The fake website of the State Tax Inspectorate
When the user submits credit card information, this data is received by the
attackers.
| 26 | | 27 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
4.2. Stealing the passwords from the employees
of the state institutionsNCSC investigated incidents when the fake letters from computer network
administrators, informing about the updates to mailing system, were sent to the em-
ployees of the public authorities (Fig. 14). The provided link led to a phishing site,
imitating the institution’s email service website (Fig. 15). Passwords provided by the
users were taken over by the attackers.
4.3. Falsification of the bank emails and websitesNCSC investigated cyber-attacks based on social engineering methods
when the emails with the links to the fake websites of the banks operating in Lithu-
ania, were distributed (Fig. 16).
Criminals try to reach users not only via email, but also using short (SMS)
messages (Fig. 17) containing a fake bank information notice and a link to a fake
bank website.
By clicking on the links, presented in the email, the user opens websites
that use design elements, logos and colours of the websites of well-known organi-
zations. An attempt is made to persuade the visitor that it is a real website and to
force him to login with real credentials (Fig. 17, 18). If the visitor provides his login
information (the visitor is asked to provide the secondary authentication factor in an
extra table), it is transmitted to the server of the attacker through the unencrypted
communication protocol (http). Login data could be used to steal money from the
user.
Fig. 14. Fake email from an administrator
Fig. 15. Fake email service website
Fig. 16. An example of social engineering - a fake email
Fig. 17. Fake bank messages
| 28 | | 29 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
Fig. 18. Phishing website
It should be noted that in order to steal the banking credentials, links to
phishing websites may be sent not only via email, but also by using short text mes-
sages.
4.4. Cyber-attacks against smartphone usersThe variety of cyber-attacks based on social engineering methods is not
limited to emails. As was shown above, links to infected websites or to dangerous
software may also be sent via short text messages (Fig. 19). This may help to infect
smart phones that process a lot of important personal information (personal data,
passwords, geographic location, financial transaction information, audio and video
without the consent of the owner of the device).
Fig. 19. Harmful links are distributed via short text messages
| 30 | | 31 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
4.5. CEO fraud During the year 2017 NCSC received a lot of reports from representatives
of the organizations regarding the letters impersonating executives and trying to
persuade the staff responsible for financial transactions to make money transfers
into the accounts of the attackers (Fig. 20). Such cyber-attacks are not technically
complex, but before they are organized, detailed information about the target and
its environment (organization’s activities, responsible personnel, agenda, etc.) is col-
lected.
Fig. 21. Typical CEO fraud scenario
It is important to emphasize that corporate executives often fail to comply
with the basic cyber security measures, which are mandatory for other employees
of the organization; therefore it is important to apply cyber security means through-
out the organization. Employees, who may be targeted, should also be informed
about such frauds. Cyber security awareness would be greatly enhanced by regular
training of the staff and exercises on resilience to threats carried out by the company
itself or by trained specialists.
Fig. 20. An example of social engineering. Imitated email address
It is important for the attackers that the employee would make money
transfer as fast and confidential as possible, otherwise the other employees of the
organization may find out about the operation. It is also important for the attackers
to create a stressful situation and to force employees to act in an irrational way. That
is why at that time it is crucial to try to take advantage of the authority of the manag-
er and to create artificial difficulty of contact him. Occasionally, an attempt is made
to force the employee to not follow the established procedures. After the employ-
ee has been convinced, third party may indicate how a money transfer operation
should be performed. Afterwards, the employee transfers money to one or more of
the difficult to trace accounts of the attacker.
| 32 | | 33 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
5. SPREAD OF MALICIOUS SOFTWARE
NCSC observed the growing trend of spreading malware in the year 2017.
During 2017 NCSC detected and neutralized harmful software more than 450 times
(Fig. 22). Several incidents were investigated where highly advanced spyware soft-
ware was identified. This software is associated with the foreign intelligence services.
The operation of such software has been detected and prevented in several state
institutions of Lithuania.
6. ORGANIZATIONAL AND TECHNICAL REQUIREMENTS ON CYBER SECURITY
On 20th of April in 2016 the Government of the Republic of Lithuania by
the Resolution No. 387 (hereinafter referred to as the Resolution) defined the or-
ganizational and technical requirements for the CII administrators and SIR manag-
ers and administrators. The requirements set by the government de facto obligated
organizations to establish cyber security policy, carry out risk assessments, prevent
hacking, develop the necessary skills for cyber security, define the procedures for
cyber incident management and to implement specific technical measures. The ad-
ministrators and managers of the SIR had to fulfil the organizational requirements
within 4 months from the date the Resolution came into force, i.e. till August 2016,
and technical requirements - within 12 months, i.e. till April 2017. The administra-
tors of the CII had to implement organizational cyber security requirements within
4 months, i.e. till July 2017 and technical requirements - within 12 months, i.e. till
March 2018.
At the beginning of 2018, NCSC conducted a survey with more than 200
questions, in order to assess detailed compliance of SIR administrators and manag-
ers and CII administrators with the organizational and technical requirements for
cyber security. The majority of surveyed subjects represented health and public ad-
ministration sectors (Fig. 23) The most part of respondents indicated that they were
familiar with the requirements indicated in the Resolution, 5% of the respondents
pointed out that they were not familiar with the requirements, whereas a year ago a
survey conducted by NCSC showed that one third of the respondents were unfamil-
iar with this the legal act in the year 2016.
Fig. 22. Malicious software detected by NCSC during 2017 by sectors
During 2017 NCSC with the help of distributed technical sensor tools con-
tinued to monitor for malicious activity. Most of the detected harmful software activ-
ity was in the energy sector (more than 26%), public security and legal order sector
(more than 22% of all cases) and the foreign affairs and security policy sector (more
than 21% of all recorded cases). Spread of harmful software, if compared to the year
2016, has increased in the public security and legal order, foreign affairs and security
policy sectors, while in the energy sector it remained high.
| 34 | | 35 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
Fig. 23. Organizations which participated in the survey by sector
In 2017 the extent of implementation of organizational requirements for
SIR managers and administrators has increased - all requirements have been imple-
mented by 13% of the subjects, 16% of the subjects implemented more than half
of the requirements, 21% less than half and 50% did not implement the require-
ments or did not provide information to NCSC. Meanwhile, 26% of CII administra-
tors indicated that they had implemented all the organizational requirements. 32%
answered that they had implemented more than a half of the requirements, 13%
less than a half, and 29% did not implement the requirements or did not provide
information (Fig. 24).
Fig. 24. Implementation of organizational requirements by managers and administrators of CII
and SIR
60% of the SIR managers and administrators, who implemented more than
half of the requirements, 51% who have implemented less than half of the require-
ments and 40% of the entities, who did not implement the requirements, indicated
that they had planned to implement the remaining requirements in the future. 75%
of the CII administrators, who implemented more than a half of the requirements,
100%, who have implemented less than a half of the requirements and 18%, who
did not implement the requirements, indicated that they had planned to implement
them in the future (Fig. 25). It could be concluded that the majority of the subjects
who have not implemented the requirements, to a large extent, do not plan to im-
plement them in the future.
Water supply service sector 1%
Industry sector 1%
Food sector 1%
Civil Security Sector 1%
Financial sector 3%
Energy sector 4%
Information technology and electronic communications sector 4%
Transport and postal sector 4%
Environmental sector 7%
Public security and legal order sector 11%
State administration sector 15%
Health sector 24%
Other sectors 24%
Water supply service sector 1%
24%
15%
11%
7%
4%
4%4%
3%1%
24%
{
30
Fig. 24. Implementation of organizational requirements by managers and administrators of CII and SIR
60% of the SIR managers and administrators, who implemented more than half of the
requirements, 51% who have implemented less than half of the requirements and 40% of the
entities, who did not implement the requirements, indicated that they had planned to implement the
remaining requirements in the future. 75% of the CII administrators, who implemented more than a
half of the requirements, 100%, who have implemented less than a half of the requirements and
18%, who did not implement the requirements, indicated that they had planned to implement them
in the future (Fig. 25). It could be concluded that the majority of the subjects who have not
implemented the requirements, to a large extent, do not plan to implement them in the future.
Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement organizational requirements in the future
30
Fig. 24. Implementation of organizational requirements by managers and administrators of CII and SIR
60% of the SIR managers and administrators, who implemented more than half of the
requirements, 51% who have implemented less than half of the requirements and 40% of the
entities, who did not implement the requirements, indicated that they had planned to implement the
remaining requirements in the future. 75% of the CII administrators, who implemented more than a
half of the requirements, 100%, who have implemented less than a half of the requirements and
18%, who did not implement the requirements, indicated that they had planned to implement them
in the future (Fig. 25). It could be concluded that the majority of the subjects who have not
implemented the requirements, to a large extent, do not plan to implement them in the future.
Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement organizational requirements in the future
Fig. 25. Managers and administrators of CII and SIR who say they are planning to implement
organizational requirements in the future
| 36 | | 37 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
The technical requirements had to be implemented by the organizations
within one year from the date the Resolution came in to force or the CII list was
approved by the Government. NCSC conducted a survey in order to determine the
number of organizations meeting the requirements or how they plan to implement
them in the future (Fig. 26).
Fig. 27. Percentage of CII managers and SIR administrators that are planning to implement the
technical requirements in the future
In the year of 2017, the number organizations, which implemented orga-
nizational requirements showed a positive growth. NCSC carried out a detailed as-
sessment of compliance with the organizational requirements set by the Resolution
in organizations stating that all of the requirements are implemented. All audited
organizations are managing state information resources and critical information in-
frastructure. The evaluation sought to identify the quality of documents forming the
cyber security policy, by defining implementation of the requirements and correla-
tion with the documents and procedures implementing the policy, their integration
with organizations processes. It also sought to identify the problems that organi-
zations encounter from practical side while implementing organizational require-
ments.
To note, institutions that have formally implemented all the requirements
set in the Resolution did not fully integrate them into the organization’s policy doc-
uments, in addition to that implementation of requirements was not defined, trans-
ferring direct responsibility to the employees. Despite the fact that the requirements
were met, processes are not always managed and evaluated, implemented partially.
Organizations defined and implemented the processes of cyber incidents
management, designated the responsible personnel, however, de facto the require-
ment to inform the responsible organizations about cyber incidents are not practi-
cally integrated and formalized.
31
The technical requirements had to be implemented by the organizations within one year
from the date the Resolution came in to force or the CII list was approved by the Government.
NCSC conducted a survey in order to determine the number of organizations meeting the
requirements or how they plan to implement them in the future (Fig. 26).
Fig. 26. Implementation of technical requirements by managers and administrators of CII and SIR
6% of the SIR managers and administrators stated that they had implemented all the
technical requirements. 12% implemented more than a half of the requirements, 17% less than a
half and 65% did not implement the requirements or did not provide information. The Survey
revealed that 13% of CII managers have implemented all the indicated technical requirements, 24%
implemented more than a half of the requirements, 34% - less than a half and 29% - did not
implement the requirements or did not provide information.
Managers and administrators of the CII and SIR, who partially implemented the technical
requirements, indicated that they are planning to implement all the requirements in the future, but
only 6% of SIR and 18% of CII managers and administrators, who have not implemented the
requirements, indicated that they are planning to implement all the requirements in the future. In
conclusion, the most of the entities, that have not implemented the requirements, are not going to do
it in the future. (Fig. 27).
Fig. 26. Implementation of technical requirements by managers and administrators of CII and SIR
6% of the SIR managers and administrators stated that they had imple-
mented all the technical requirements. 12% implemented more than a half of the
requirements, 17% less than a half and 65% did not implement the requirements
or did not provide information. The Survey revealed that 13% of CII managers have
implemented all the indicated technical requirements, 24% implemented more than
a half of the requirements, 34% - less than a half and 29% - did not implement the
requirements or did not provide information.
Managers and administrators of the CII and SIR, who partially implemented
the technical requirements, indicated that they are planning to implement all the
requirements in the future, but only 6% of SIR and 18% of CII managers and ad-
ministrators, who have not implemented the requirements, indicated that they are
planning to implement all the requirements in the future. In conclusion, the most of
the entities, that have not implemented the requirements, are not going to do it in
the future. (Fig. 27).
32
Fig. 27. Percentage of CII managers and SIR administrators that are planning to implement the technical
requirements in the future
In the year of 2017, the number organizations, which implemented organizational
requirements showed a positive growth. NCSC carried out a detailed assessment of compliance with
the organizational requirements set by the Resolution in organizations stating that all of the
requirements are implemented. All audited organizations are managing state information resources
and critical information infrastructure. The evaluation sought to identify the quality of documents
forming the cyber security policy, by defining implementation of the requirements and correlation
with the documents and procedures implementing the policy, their integration with organizations
processes. It also sought to identify the problems that organizations encounter from practical side
while implementing organizational requirements.
To note, institutions that have formally implemented all the requirements set in the
Resolution did not fully integrate them into the organization's policy documents, in addition to that
implementation of requirements was not defined, transferring direct responsibility to the employees.
Despite the fact that the requirements were met, processes are not always managed and evaluated,
implemented partially.
Organizations defined and implemented the processes of cyber incidents management,
designated the responsible personnel, however, de facto the requirement to inform the responsible
organizations about cyber incidents are not practically integrated and formalized.
Organizations point out that the requirements, set by the Resolution, are difficult to
implement due to lack of competence, human and financial resources (Fig. 28). Entities are not yet
able to evaluate the importance of cyber security for their managed information resources and, in
general, cyber security is not considered as a priority area.
| 38 | | 39 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
Lack of human
resources
Lack of compe-tence
Lack of financial
resources
Organizations point out that the requirements, set by the Resolution, are
difficult to implement due to lack of competence, human and financial resources
(Fig. 28). Entities are not yet able to evaluate the importance of cyber security for
their managed information resources and, in general, cyber security is not consid-
ered as a priority area.
7. RESONATING CYBER INCIDENTS
In the year 2017 there was a number of cyber-attacks that have generated
great interest at the national and international levels.
Cyber-attacks against the media were registered. During these attacks mis-
leading and panic inducing information related to the mission of NATO soldiers was
published. In April BNS system was hacked – fake news about US troops in Latvia
was published. This was done through unauthorized use of the www.bns.lt content
management system’s administrator account.
In May, an international cyberattack attack took place, targeting one and a
half hundred countries’ targets. The WannaCry computer virus, exploiting the Win-
dows security vulnerability in the operating system spread on computer networks
and encrypted data of the users stored in the computers, requested ransom for the
recovery. Organizations from education, health, transport sectors and other import-
ant information infrastructures have suffered in the countries of the European Union.
According to the data of NCSC there were no infected IP-addresses, no state-owned
or critical information infrastructure objects in Lithuania.
Fig. 28. Interaction between the major problems arising from the implementation of organizati-
onal and technical requirements for cyber security
The conducted survey of implementation of the organizational and tech-
nical cyber security requirements has shown that most of the organizations were
aware of the requirements applicable to them, and the tendency for implementa-
tion was improving. After of the assessment of compliance of the organizations that
declare they have implemented all the organizational requirements, it was observed
that the requirements mutatis mutandis are only formally fulfilled and the imple-
mentation of all organizational requirements are practically not guaranteed. It is im-
portant to emphasize that the most of the organizations that have not implemented
the requirements do not plan to implement them in the future.
Fig. 29. Example of WannaCry Virus encrypted data
| 40 | | 41 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
In June, the same operating system vulnerability was exploited in the
spread of another encrypting virus “NotPetya”.
8. EXERCISEAs the number of cyber-attacks is growing it is particularly important to
respond promptly to the emerging threats, to recognize and prevent them. Cyberse-
curity exercises are one of the best practical tools to help to train employees of the
organizations and security personnel.
In 2017 the national cyber security exercise „Kibernetinis skydas 2017“(Cy-
ber shield 2017) organized by NCSC took place in Lithuania. Training audience con-
sisted of more than 200 IT department managers and cyber security specialists from
more than 50 public institutions, information resource managers, research institu-
tions, energy companies, communications operators and companies trained in cy-
ber incident management and control. Goals of the exercise: to develop co-opera-
tion between SIR and CII managers and investigators of cyber incidents, to develop
the capabilities to stop incidents in SIR and CII, to test the procedures of the National
Cyber Incident Management Plan, to develop the application of skills. In the train-
ing sessions, heads of the institutions and companies trained to manage cyber inci-
dents, to detect vulnerabilities of the systems and remove them in accordance with
the legal cyber security framework established in Lithuania. In the technical part of
the training specialists were trained to manage cyber-attacks in a virtual information
infrastructure created specifically for the exercise. Teams worked from training plac-
es in Vilnius, Kaunas and other cities of Lithuania. During the exercise the cyber inci-
dent management platform for SIR and CII managers (created by NCSC) was tested.
In the year 2017 Lithuania together with Latvia, Estonia and the USA par-
ticipated in international exercises Baltic Ghost 2017. The goal of this exercise was
to strengthen cooperation between the three Baltic States and the United States of
America in the case of dangerous cyber incidents (critical infrastructure protection
in the region, the identification of civilian and military cyber organizations that sup-
port each other in a cyber crisis, and the most effective ways and means of exchang-
ing information) to control which common high-level procedures are necessary.
The Lithuanian representatives participated in NATO-hosted exercise Cyber
Coalition 2017. The goal of this exercise was to check the effectiveness of NATO’s
response and information exchange during cyber-threats.
In the second quarter of 2017 Lithuania participated in the annual inter-
Fig. 30. Example of data encrypted by “NotPetya” virus
The virus has mostly spread in the computer systems of Eastern Europe.
According to CERT-LT data, five cases of information system damages were detected
in Lithuania, disrupting business activities and causing losses .4 NCSC did not register
related incidents in the SIR or CII.
NCSC points out, that operating systems of servers and workstations, used on the
network of organization, should be updated on time (as soon as the manufacturer issues
security patches). If the used systems are not supported by the manufacturer, their access
to the internet should be limited and security should be enhanced by additional means.
For protection against these types of attacks, it is recommended to regular-
ly backup important data, which should be stored separately and be not accessible
from the environment of employees.
NCSC notes that the payment of a ransom does not guarantee the recovery
of data, therefore it is not recommended to carry out requested money transfers.
A copy of the encrypted data can be saved hoping that decryption keys will
be publicly available in the future.5
4 Activity report for the year 2017 of the National Electronic Communication Networks and Information Security Investigation Division of the Republic of Lithuania. https://www.cert.lt/doc/2017.pdf
5 https://www.nomoreransom.org/
| 42 | | 43 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
national cyber security exercise Locked Shields 2017 organized by NATO Cooper-
ative Cyber Defence Centre of Excellence. During the exercise, the teams became
targets who are also supervising military air force networks and are suffering from
the attacks on electricity distribution grid, command and control systems and crit-
ical information infrastructure. Locked Shields 2017 was the largest international
cyber security exercise based on scenarios, technologies used and the number of
countries involved. Over 2 500 different types of attacks have been prepared for the
participants and more than 3 000 virtual systems have been used. The exercises took
place in simulated cyberspace in real time, involving over 800 professionals from 25
countries6.
6 https://ccdcoe.org/locked-shields-2017.html
CONCLUSIONS, RECOMMENDATIONS AND PROGNOSIS
ConclusionsThe situation of cyber security in Lithuania slightly improved in 2017 com-
pared to 2016. However, there is not enough effort invested into cyber security, in
relation to the growth of cyber threats. The main reasons that allowed making this
assumption are:
1. An improvement in compliance with organizational and technical cyber
security requirements in the state information resources and critical infor-
mation infrastructure shows growing attention from organizations towards
cyber security. On the other hand, regulations are implemented ad hoc,
fragmentary and formally, while an increasing amount of incidents sug-
gests that organizations do not implement appropriate tools to remove the
known vulnerabilities and deter threats.
2. An increase in the reconnaissance of electronic communication network
(including industrial control systems), also the increasing amount of mal-
ware points to insufficient abilities of organizations to protect themselves
against the threats and ensure the adequate level of protection and resis-
tance.
3. The total amount of cyber incidents processed by NCSC reached 54 950,
including public and private sectors, which is 10% higher if compared to the
year 2016. These statistics points to a possible challenge for the electronic
environment of Lithuania, citizens, public sector and businesses.
4. The growing number of social engineering based cyber-attacks shows that
gullible and lack of awareness and knowledge by the users and employees
of the organizations is still one of the main cyber security vulnerabilities.
5. Improving capabilities of NCSC and expanding monitored space allowed
detecting more malware, undetectable by other tools. However, organiza-
| 44 | | 45 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
tions still reluctantly report cyber incidents found in their networks, are not
prone to share information and threat indicators.
6. Ever changing cyber security state of the Lithuania’s public sector websites
shows that software is not updated in time and organizations struggle en-
suring their website cyber security. Moreover, when purchasing website
hosting and administration services they do not include requirements to
ensure compliance to cyber security regulations in the purchasing con-
tracts.
Recommendations
• In order to ensure greater maturity of organizations in solving cyber-se-
curity issues and preventing cyber threats, it is recommended completely
implement the organizational and technical requirements for cyber secu-
rity set by the Government. Seeking to avoid formal requirements imple-
mentation NCSC recommends planning material and human resources for
cyber security.
• In order to ensure fluent management of cyber incidents, NCSC re-
commends approving the procedures defining cyber incident manage-
ment, collecting information and informing the competent authorities in
accordance with the organizational and technical cyber security require-
ments set by the Government.
• NCSC recommends the use of technical and organizational measures for
strict control of the equipment and software allowed to be part of an or-
ganization’s internal network (application identification, unauthorized
software restriction) when developing the basics of cybernetic security of
computer networks. Careful configuration and standardization of security
settings for the devices and software used by the organization is one of
the cores of network security. Taking into consideration the technical fea-
tures of the incidents observed by NCSC, it is important to emphasize that
continuous maintenance of the software used by the organization and the
implementation of security updates is a critical process to protect against
emerging new cyber threats. In case of the need for remote communication
between elements of the organization’s network, it is important to ensure
that communication in the public domain is further protected by encrypti-
on technologies. It is important to strictly control the allocation and use of
administrator privileges, to apply technical measures to restrict computer
users’ potentially harmful actions. Taking into consideration the growing
number of viruses requiring ransom, we propose to apply reliable and veri-
fied measures to make and store back-up data of critical importance.
• NCSC emphasizes that enhancing the ability of the organizations to iden-
tify cyber-attacks based on social engineering is vital in enhancing orga-
nizations’ resilience to cyber threats. This can be achieved by regular trai-
| 46 | | 47 |N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
ning of employees, checks on resilience to intrusions, imitating malicious
actions, and, if necessary, or in the absence of competence, to use external
expertise.
• NCSC notes that in order to improve user awareness and the ability to iden-
tify cyber threats, users should be informed and aware that the address
of the sender of the incoming email can be forged (so it should not be
always trusted); to pay attention to the grammatical mistakes in the sen-
tences (the text is translated into Lithuanian through automatic means);
users should not be in a hurry to open the attachments of the letter and
the links provided – they should think whether the sender is known, were
they waiting for the letter; the user can check the link by hovering the mo-
use pointer over the sent link, - an informational message is automatically
displayed (Fig. 31); to pay attention to the subject of the letter, be careful of
sensational headlines, should not believe in easy financial gain or material
benefits, the presentation of passwords in the body of the letter; the users
should be fully aware that nobody has the right to ask for their passwords,
so each request (on behalf of the administrator or on behalf of the law en-
forcement) should cause suspicion. In order to protect personal data and
stored information, only legitimate commercial or open source software
should be used on the computers (malicious code is often added to ille-
gal software), protective measures should operate properly (many security
products allow home users to use free versions of their programs).
example, the virtual private network). Additional security measures should
be used (web application firewall), strict control of the accounts with admi-
nistrative rights, use of sophisticated and regularly changed access pass-
words, regular audit of logs and, if necessary, purchase of DDoS protection
services. Organizations may indicate the need for security measures in the
terms of purchased hosting service agreement.
Fig. 31. A link to a malicious website
• In order to protect publicly accessible systems or websites from intrusion
and illegal alterations to content, organizations should periodically upda-
te the software used in their servers, restrict access to the administration
interface (for example, access control lists). The remote administration of
the website should be done through a trusted communication channel (for
| 48 | N AT I O N A L C Y B E R S E C U R I T Y S T AT U S R E P O R T F O R T H E Y E A R 2 0 1 7
PrognosisTaking into account the trends of global and Lithuanian cyber threats,
NCSC predicts that in 2018 the security vulnerabilities will be hunted in the infor-
mation resources and critical information infrastructures of Lithuania. Interest in the
technological processes and connected to the internet devices will continue to grow.
It is anticipated that social engineering methods will become more and
more modern; there will be a lot of cases when targeted cyber-attacks will be carried
out. Due to insufficient awareness of the users, the number of successful cyber-at-
tacks of this kind will increase in the future.
Taking into consideration that awareness of the users on cyber threats is
low, cyber-security measures that are necessary to ensure cyber-security are not in-
stalled in time and the number of viruses encrypting data is increasing, it is antici-
pated, that the number of successful attacks of this kind will increase in the future.
The growing number of sophisticated malicious software in 2017 allows as-
suming that in 2018 more and more of the unknown vulnerabilities will be exploited.
The foreign affairs and security policy, energy, public security and legal order sectors
will continue to be the main targets of well-focused cyber-attacks.
Relying on the recent trends in cyber threats, NCSC notes the need to de-
velop the basis of cyber security expertise in the public sector, accumulate knowl-
edge and develop skills, to plan the resources adequately in order to reduce the risk
of cyber security threats.