NCSC prevents $70m harm against NZ's nationally significant organisations
New Zealand's nationally significant organisations have faced at least 352 cyber incidents in the 2019/2020 year, but the dangers are far from over.
New Zealand's National Cyber Security Centre (NCSC) has published its Cyber Threat Report for 2019/2020, which provides a sobering insight into the malicious attacks against New Zealand businesses.
The NCSC classifies nationally significant organisations as critical government departments, key economic generators, niche exporters, research institutions, and critical national infrastructure operators.
The NSCS claims it has prevented $70 million in harm to New Zealand's nationally significant organisations, based on a statistical model which was revalidated during the reporting year.
According to NCSC director Hamish Beaton, attackers have been particularly keen to exploit known vulnerabilities in internet-facing applications, remote desktop services, and virtual private network applications.
The report states, "In 2019/20, 12% of reported cyber incidents were linked to known vulnerabilities in software and devices. In some instances, malicious cyber actors exploited vulnerabilities within weeks of their initial public disclosure. Several other vulnerabilities were publicly disclosed more than 12 months prior to their exploitation, highlighting the need for organisations to regularly patch their systems and conduct security testing to identify and mitigate known vulnerabilities."
Beaton explains, “This means organisations with poor security posture are more likely to become a victim of malicious cyber activity, and are much less likely to detect such activity before harm is caused.
The report also found that 83% of security incident were detected before ‘significant' harm occurred, while 17% were detected after the compromise had already been successful.
Of the 352 incidents, 30% had links to state-sponsored actors - a smaller proportion than in the previous year. While the NCSC did not share specific details in the report, it does state that state-sponsored actors often obfuscate their activities so they appear similar to other types of cybercrime, and even legitimate online activity.
“State-sponsored cyber activity remains more sophisticated and persistent than criminal or non-state activity, and accounts for most of the NCSC's high priority cybersecurity incidents. This type of activity poses a more serious national security threat, as it is typically conducted for geopolitical or economic purposes and is more likely to affect organisations of national significance.
While August's DDoS attacks on the NZX occurred this year, they have not been included in NCSC's report as they occurred outside of the reporting period.
“What these attacks highlighted is that attackers who are intent on disrupting the availability of systems can be just as damaging as those who seek to steal sensitive information,” the Centre says.
COVID-19 contributed to significant demand for cybersecurity guidance, due to an increasing reliance on digital platforms by New Zealand's public and private sectors.
“We responded to this through greater direct engagement with customers and by publishing more guidance on our website, particularly around adopting cloud services and remote working solutions,” says Beaton.
“Post COVID-19 lockdown we have followed up with further guidance advising organisations to review their security settings and the changes they made in response to COVID-19, to ensure any risks associated with the rapid changes required pre lockdown are effectively mitigated.
Furthermore, the Centre has noticed an uptick in the amount of organisation self-reporting incidents, which reflects rising cyber awareness and willingness to share incidents they have faced.
CERT NZ also published its Q3 review this week, which covers security incidents related to a broader range of New Zealand individuals and businesses.
NCSC reiterates that its statistics relate only to New Zealand's nationally significant businesses so the figures are vastly different.
“CERT NZ, who we work closely with, released its quarterly report, recording 2610 reports from organisations and individuals for the three months to 30 September 2020. This difference in recorded events reflects the different perspectives our organisations have on the New Zealand cyber threat landscape,” says Beaton.
NCSC runs the CORTEX security capabilities and recently completed the pilot and initial delivery of Malware Free Networks, a malware detection, disruption, and threat intelligence sharing service.
NSCS recommends the following:
- Systems and applications should be regularly maintained, and patches or mitigations for newly disclosed vulnerabilities prioritised.
- Critical or sensitive data should be appropriately secured, especially when stored on cloud services or accessible from internet-facing servers.
- Systems and networks should be monitored for malicious or unusual activity, with effective logging implemented to aid detection of and response to such activity.
- Security should regularly be tested to identify vulnerable systems, services and processes before they can be exploited.
- Plans for responding to and managing cyber incidents should be established and tested.
- Cybersecurity training and practical guidance should be given to staff, including those who work remotely.
- In combination, such actions create layers of cyber defence which makes it more difficult for malicious cyber actors to succeed, reduces the potential harm that may be caused, and enables an organisation to more swiftly detect, respond to, and recover from cyber incidents.