The GCSB has issued a "be prepared" advisory for all Kiwi businesses on the heels of the stock exchange suffering a fifth day of outages linked to cyber-attacks, unsuccessful attacks on Stuff and RNZ's websites over the weekend, and ransomware incidents that have hit, F&P Appliances, Lion, Toll Group and the Unversity of Auckland (where a ransom was paid by the US firm hosting its data), among others.
The advisory (in full below) comes from the GCSB's National Cyber Security Centre.
Small businesses without their own IT department - or anyone who finds it all Greek - is advised to contact another Crown agency, Cert (Computer Emergency Response Team) NZ.
Cert NZ was set up to advise individuals and small businesses on where to turn in law enforcement or the IT world if they suffer a cyber attack.
There's potential for NCSC and Cert NZ to be overwhelmed if Kiwi businesses do seek advice en masse.
After a wave of cyber-attacks across the Tasman, Prime Minister Scott Morrison ear-marked $1.4 billion to put his country on a "war-footing" with hackers.
Our cyber-defence effort is measured in the tens of millions.
Today's GCSB advisory follows a Cert NZ warning last November that a group of hackers mimicking Russian hacker gang "Cozy Bear" were targeting NZ financial institutions with DDoS (distributed denial of service attacks) that overwhelm a website with connection requests - thereby rendering it inaccessible.
Threats are coming from multiple directions, experts say, including state actors, criminal gangs, insiders gone rogue, hackers just getting their kicks, and organisations who Inadvertently spill data into the cloud.
Cert NZ: Don't pay a ransom
Declan Ingram, deputy director of Crown cybersecurity agency Cert NZ, said his organisation never commented on individual cases, because it did not want to inhibit organisations from reporting problems.
But late last year, Cert did issue an alert around DDoS extortion attempts by Russian gangs - or at least gangs claiming to be Russian - who were targeting the financial sector in New Zealand.
And he told the Herald, "In 2019 we received 84 incident reports about DDoS attacks. In particular, cyber attackers emailed organisations alerting them that they would be subject to a DDoS attack unless they paid a ransom before a specified deadline. In some instances, the attackers initiated a warning or demonstrative attack against the organisation's IP network to prove their intent.
"Cert NZ does not recommend paying ransoms, as this could result in being targeted again," Ingram said.
That might be the official advice, but Wellington lawyer Michael Wigley has said there are some situations when paying up is the pragmatic choice - and Garmin reportedly paid a recent $14m ransom demand.
Cert NZ has also provided a couple of bits of advice on top of the GCSB tips below.
One is to educate staff to be suspicious of email attachments, or any digital assets their unsure of.
The other is a "cold backup" - or the old-fashioned process of copying vital files to a hard drive then storing them off-site.
A cold backup should be done as a complement to a cloud backup.
General Security Advisory: Ongoing campaign of DoS attacks affecting New Zealand entities
• The National Cyber Security Centre (NCSC) is aware of an ongoing campaign of denial-of-service (DoS) attacks affecting New Zealand entities.
• The campaign has included the targeting of a number of global entities, predominantly in the financial sector.
• The NCSC strongly encourages all organisations in this sector to consider the risk to their organisation of DoS and ensure appropriate mitigations are in place.
The NCSC recommends following the steps provided below, replicated from the Australian Cyber Security Centre1. It reflects best practice developed in response to previous denial of service activity.
Preparing for denial-of-service attacks
Before implementing any measures to prepare for denial-of-service attacks, organisations should determine whether a business requirement exists for their online services to withstand denial-of-service attacks, or whether temporary denial of access to online services is acceptable to the organisation.
If organisations wish to increase their ability to withstand denial-of-service attacks, they should, where appropriate and practical, implement the following measures prior to any denial-of-service attacks beginning:
• Determine what functionality and quality of service is acceptable to legitimate users of online services, how to maintain such functionality, and what functionality can be lived without during denial-of-service attacks.
• Discuss with service providers the details of their denial-of-service attack prevention and mitigation strategies. Specifically, the service provider's:
• capacity to withstand denial-of-service attacks
• any costs likely to be incurred by customers resulting from denial-of-service attacks
• thresholds for notifying customers or turning off their online services during denial-of-service attacks
• pre-approved actions that can be undertaken during denial-of-service attacks
• denial-of-service attack prevention arrangements with upstream providers (e.g. Tier 2 service providers) to block malicious traffic as far upstream as possible.
• Protect organisation domain names by using registrar locking and confirming domain registration details (e.g. contact details) are correct.
• Ensure 24x7 contact details are maintained for service providers and that service providers maintain 24x7 contact details for their customers.
• Establish additional out-of-band contact details (e.g. mobile phone number and non-organisational email) for service providers to use when normal communication channels fail.
• Implement availability monitoring with real-time alerting to detect denial-of-service attacks and measure their impact.
• Partition critical online services (e.g. email services) from other online services that are more likely to be targeted (e.g. web hosting services).
• Pre-prepare a static version of a website that requires minimal processing and bandwidth in order to facilitate continuity of service when under denial-of-service attacks.
• Use cloud-based hosting from a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites.
• If using a content delivery network, avoid disclosing the IP address of the web server under the organisation's control (referred to as the origin web server), and use a firewall to ensure that only the content delivery network can access this web server.
• Use a denial-of-service attack mitigation service.
Responding to denial-of-service attacks
Organisations that wish to attempt to withstand denial-of-service attacks, but have not pre- prepared should, where appropriate and practical, implement the following measures, noting that they will be much less effective than had they been able to adequately prepare beforehand:
• Discuss with service providers their ability to immediately implement any responsive actions, noting service providers may be unable or unwilling to do so, or may charge additional fees for services not covered in contracts.
• Temporarily transfer online services to cloud-based hosting hosted by a major cloud service provider (preferably from multiple major cloud service providers to obtain redundancy) with high bandwidth and content delivery networks that cache non-dynamic websites. If using a content delivery network, avoid disclosing the IP address of the origin web server, and use a firewall to ensure that only the content delivery network can access this web server.
• Use a denial-of-service attack mitigation service for the duration of the denial-of-service attacks.
• Deliberately disable functionality or remove content from online services that enable the current denial-of-service attack to be effective (e.g. implement a pre-prepared low resource version of the website, remove search functionality, or remove dynamic content or very large files).