/cloudfront-ap-southeast-2.images.arcpublishing.com/nzme/V4ZOD6XMSJGDXPFIFLREUSLV5Y.jpg)
[ad_1]
The GCSB has issued a “be prepared” notice to all Kiwi companies immediately after the stock market suffered a fifth day of cyberattack related disruptions, failed attacks on Stuff and RNZ websites during the end of week and ransomware incidents that have occurred. , F&P Appliances, Lion, Toll Group, and the University of Auckland (where the US firm hosting your data paid a ransom), among others.
The notice (in its entirety below) comes from the GCSB National Cyber Security Center.
Small businesses without their own IT department, or anyone who finds it all Greek, are advised to contact another Crown agency, Cert (Computer Emergency Response Team) NZ.
Cert NZ was created to advise individuals and small businesses on where to turn to law enforcement or the IT world if they experience a cyber attack.
There is a possibility that NCSC and Cert NZ will be overwhelmed if New Zealand companies seek advice in droves.
Following a wave of cyberattacks in Tasmania, Prime Minister Scott Morrison allocated $ 1.4 billion to put his country on a “war footing” with hackers.
Our cyber defense effort is measured in the tens of millions.
Today’s GCSB advisory follows a warning from Cert NZ last November that a group of hackers mimicking the Russian gang of hackers “Cozy Bear” were targeting New Zealand financial institutions with DDoS (distributed attacks from denial of service) that overwhelm a website with connection requests, rendering it inaccessible.
Threats come from multiple directions, experts say, including state actors, criminal gangs, insiders who have gone rogue, hackers who are just having fun, and organizations who inadvertently spill data into the cloud.
Cert NZ: Don’t pay a ransom
Declan Ingram, deputy director of the Crown Cert NZ cybersecurity agency, said his organization never commented on individual cases, because it did not want to inhibit organizations from reporting problems.
But late last year, Cert issued an alert on DDoS extortion attempts by Russian gangs, or at least gangs claiming to be Russian, targeting the financial sector in New Zealand.
And he told the Herald: “In 2019 we received 84 incident reports about DDoS attacks. In particular, cyber attackers sent emails to organizations to alert them that they would be subject to a DDoS attack unless they paid a ransom before a date. Specific boundary In some cases, attackers launched a warning or a demonstrative attack against the organization’s IP network to demonstrate their intent.
“Cert NZ does not recommend paying ransoms, as this could result in being attacked again,” Ingram said.
That might be the official advice, but Wellington’s attorney, Michael Wigley, has said that there are some situations where paying is the pragmatic option, and Garmin reportedly paid a recent $ 14 million ransom demand.
Cert NZ has also provided a couple of tips in addition to the GCSB tips below.
One is to educate staff to be suspicious of email attachments or any digital assets they are unsure of.
The other is “cold backup,” or the old-fashioned process of copying vital files to a hard drive and then storing them off-site.
A cold backup should be performed as a supplement to a cloud backup.
General Security Advisory: Ongoing Campaign of DoS Attacks Affecting New Zealand Entities
Summary
• The National Cyber Security Center (NCSC) is aware of an ongoing campaign of denial of service (DoS) attacks affecting New Zealand entities.
• The campaign has included the targeting of a number of global entities, predominantly in the financial sector.
• NCSC strongly encourages all organizations in this industry to consider the risk of DoS to their organization and to ensure that appropriate mitigations are in place.
recommendations
The NCSC recommends following the steps provided below, replicated from the Australian Center for Cyber Security1. Reflects best practices developed in response to a previous denial of service activity.
Preparing for denial of service attacks
Before implementing any measures to prepare for denial of service attacks, organizations should determine if there is a business requirement for their online services to resist denial of service attacks, or if the temporary denial of access to online services is acceptable to the organization.
If organizations want to increase their ability to resist denial of service attacks, they should, where appropriate and practical, implement the following measures before any denial of service attack begins:
• Determine what functionality and quality of service is acceptable to legitimate users of online services, how to maintain that functionality, and what functionality can be lived without during denial of service attacks.
• Discuss with service providers the details of their denial of service attack prevention and mitigation strategies. Specifically, the service provider:
• ability to resist denial of service attacks
• any costs that customers may incur as a result of denial of service attacks
• thresholds for notifying customers or disabling their online services during denial of service attacks
• pre-approved actions that can be taken during denial of service attacks
• Denial of service attack prevention fixes with upstream providers (for example, Tier 2 service providers) to block malicious traffic as much upstream as possible.
• Protect your organization’s domain names by using Registrar Lock and confirming that the domain’s registration details (for example, contact details) are correct.
• Make sure 24×7 contact details are maintained for service providers and that service providers maintain 24×7 contact details for their customers.
• Establish additional out-of-band contact details (eg mobile phone number and non-organizational email) for use by service providers when normal communication channels fail.
• Implement availability monitoring with real-time alerts to detect denial of service attacks and measure their impact.
• Divide critical online services (eg email services) from other online services that are more likely to be targeted (eg web hosting services).
• Pre-prepare a static version of a website that requires minimal processing and bandwidth to facilitate continuity of service in the event of denial of service attacks.
• Use cloud-based hosting from a major cloud service provider (preferably from several major cloud service providers for redundancy) with high bandwidth and content delivery networks that cache non-web sites. dynamic.
• If you use a content delivery network, avoid revealing the IP address of the web server under the organization’s control (known as the originating web server) and use a firewall to ensure that only the content delivery network can access to this web server.
• Use a denial-of-service attack mitigation service.
Respond to denial of service attacks
Organizations that wish to attempt to resist denial-of-service attacks, but have not prepared in advance should, where appropriate and practical, implement the following measures, bearing in mind that they will be much less effective than if they had been able to adequately prepare in advance:
• Discuss with service providers their ability to immediately implement any response action, bearing in mind that service providers may not be able or willing to do so, or may charge additional fees for services not covered in contracts.
• Temporarily transfer online services to cloud-based hosting hosted by a major cloud service provider (preferably from several major cloud service providers for redundancy) with high bandwidth and high-speed delivery networks. content that is cached by non-dynamic websites. If you use a content delivery network, avoid revealing the IP address of the originating web server and use a firewall to ensure that only the content delivery network can access this web server.
• Use a denial of service attack mitigation service for the duration of denial of service attacks.
• Deliberately disable functionality or remove content from online services that allow the current denial-of-service attack to be effective (for example, deploy a low-resource pre-prepared version of the website, remove search functionality, or remove dynamic content or very large files).
