Outgoing GCSB leader shares cyber security insights
"Much that I have learned must stay in the classified domain," said Una Jagose in her last public address as acting Director of the Government Communications Security Bureau.
She has since taken office as the 17th Solicitor General of New Zealand.
"However, when it comes to information assurance, cyber security – or "data security" if you like – there is much that I have learned that I can share with you."
Speaking at a "Cyber Risk Workshop" recently hosted in Wellington by law firm Minter Ellison Rudd Watts, Ms Jagose said she had "observed first-hand the interesting and often challenging work that is carried out by the intelligence community to keep New Zealand – its people and its information – secure".
She said she hopes her observational insights can benefit professionals in their day-to-day jobs, to help protect business sensitive data and client/customer data from "increasingly pervasive and sophisticated cyber threats".
While technology, such as security software, plays a vital role in ensuring network safety, education and increasing awareness around cyber risk management is equally critical, Ms Jagose said.
"It is essential that systems and data are protected by a multi-layered approach; an approach that combines effective governance and risk management with user education, effective policy settings and appropriate layers of security technology.
"Boards, executives and senior management already have a solid grasp of risk management.
"The challenge is to ensure the same rigour and discipline that is already applied to financial, legal, human resource, and operational risk, is applied to technology risk.
"Awareness and regular discussion at the executive and board tables, and more broadly across an organisation, are important first steps."
The cyber threat
"The rapid development and adoption of new technologies – e-commerce, cloud storage, mobile communications, 'byod' [bring your own device] - create new opportunities for cyber criminals and others who seek unauthorised access to your information," Ms Jagose said.
"The creation and exploitation of cyber threats is no longer the exclusive domain of well-resourced, highly technical criminals, or state supported actors.
"Today even people with relatively low levels of technical skill can purchase an exploit kit and start generating threats."
In New Zealand, incidents range in seriousness from the targeting of small businesses with "ransom ware" and attempts to obtain credit card information through to serious and persistent attempts to compromise the information systems of significant New Zealand organisations.
"While at times they are directly targeting significant New Zealand organisations, we are also seeing them use (and attempt to use) New Zealand-based systems as a "jumping off point" to host malware that is used to target overseas networks."
What is being targeted?
"Because of the relatively small size of our data sets and requirement to maintain confidentiality, the NCSC does not currently report on threats by industry sector."
It was possible however, Ms Jagose said, to gain relevant insight into the range of sectors being targeted by looking at overseas reporting.
Australian reporting indicates that cyber threats target sectors such as; Energy: 29%, Banking and finance: 20%, Communications: 12%, she said.
"In terms of data being targeted, cyber criminals and those behind cyber espionage are going for pretty much anything that can either advantage them or that they can on sell for a profit."
Banking, credit card and other financial transition credentials are very marketable commodities on the black market - the value of credit card details can be between US$30 and US$45 for a single card where full user information is captured, Ms Jagose said.
"So too are system user credentials, which can then be used to gain access to systems and enable further data extraction or manipulation, and identity information, which can be used to create false personas for fraudulent activity.
"Information targeted for more espionage related purposes includes business information - valuable intellectual property, business plans, pricing and acquisition strategies, and government information in all its various forms."
The most common threats
In the past year, the most common threat noted by the National Cyber Security Centre (NCSC) in New Zealand was "spear-phishing", which involved a victim being sent an email, often carefully tailored to the receiver, which contains a "threat" or a hyperlink to a threat that when opened enables a cyber-criminal to access the victim's device or network.
"Spear-phishing" made up about 30 percent of threats reported to the NCSC, followed by network intrusion (21%) and "botnets" (9.5%), then "drive by downloads" and denial of service (DoS) attacks.
It's not just you
"Organisations need to be aware that the threat is not just to them or necessarily directly targeted," Ms Jagose said.
"You could be targeted via a third party relationship or provide a vector for targeting others.
"Your whole supply chain needs to be secure and subject to the same risk management approach.
"This is an area of particular importance to those of you in the professional services sectors. Your organisation's systems are potentially points of accumulation of high value information from multiple organisations to which you are providing services.
"While your clients may have invested in significant information assurance protections, both technical and procedural, their relationship with your organisation could be the weak link. The potential liabilities – both financial and reputational – are significant."
Four key points for the tech-savvy
Ms Jagose shared the NCSC's "top four key mitigations" that can effectively protect against most cyber-threats.
- The use of application white listing: having a defined list of applications that are the only ones allowed to run on a network. This helps prevent malicious software and unapproved programmes from running.
- Patching operating system vulnerabilities: as new vulnerabilities are discovered in operating systems, vendors release patches (system updates) to address them (think of those iOS upgrades many of you will have been notified of recently).
- Similarly, patching applications: things like Java, PDF viewers, Flash, web browsers and Microsoft Office.
- And, finally, restricting administrative privileges to operating systems based on the user's duties.
"The application of these top four mitigations can reduce vulnerability by up to 80 percent," she said.
"It is clear that making our networks more resilient (and our information safer) requires a joined up approach.
"This means government and the private sector working more closely, and better sharing of threat information and of the strategies and tools to respond to threats.
"It also means organisations need to be better joined up in their own response – from board awareness and risk management, to executive engagement and regular reporting on cyber threat, through to user education and technical system management.
"Everyone has a role to play."
The GCSB's "cyber work" was largely delivered through the NCSC, which focused on defending against advanced threats of the type that cannot typically be mitigated using commercially available security tools, Ms Jagose said.
Last updated on the 16th September 2019