May 10, 2018 | SSS Security Consulting Team
What is the CERT NZ quarterly report?
Each quarter, CERT NZ publishes a quarterly report which presents information and statistics on the cyber security incidents that have been reported that quarter as well as the latest cyber security threats in New Zealand. They have recently published their quarterly report for Q4 of 2017 (1 October – 31 December) which, in addition to the above, provides a summary of results from the entire year.
The incident reporting initiative went live in April 2017 and has since received 1,100 reports from individuals and organisations from across New Zealand. These reports have been provided by various industries and sectors which offer a holistic view of cyber security issues within the country. So far, the initiative has been gaining momentum with 377 incident reports provided during Q4.
What happened in Q4?
Some of the key points contained within the report are:
- reported financial losses from incidents during Q4 were $3.4m; more than double the losses reported in Q3,
- the total financial loss to New Zealanders from cyber security incidents since April 2017 is now over $5.3 million,
- there has been an increase in sophisticated phishing campaigns that aim to steal people’s credentials which was a common threat for all types of businesses, and
- there has been a growing interest in the theft of cryptocurrencies which is contributing to an increase in cryptocurrency scams in New Zealand. These types of scams resulted in nearly $265k losses alone in quarter four.
During Q4, CERT NZ expanded category reporting to include all types of incidents, including those referred to New Zealand Police and Netsafe. 377 incident reports were generated, and the most commonly reported incident types were scams and fraud (37%), and phishing and credential harvesting (33%). Other incidents were unauthorised access (10%), malware (8%), reported vulnerabilities (4%), and ransomware (4%).
Source: CERT NZ Quarterly Report
What can our clients do about the current cyber security threats?
Of the incidents reported during Q4, those that resulted in a successful attack may have been prevented by incorporating CERT NZ’s critical controls for 2018. These controls (10 in total) aim to provide a basic level of cyber security capability and will help mitigate the clear majority of cyber-attacks. These are as follows:
1. Patch your software.
2. Upgrade or replace legacy systems.
3. Disable unused services and protocols.
4. Implement application whitelisting.
5. Change default credentials.
6. Deploy multi-factor authentication.
7. Enforce the principle of least privilege.
8. Implement and test backups.
9. Configure centralised logging.
10. Manage your mobile devices.
How do CERT NZ’s critical controls map to the incident reports from Q4?
The two most reported incidents from Q4 were scams & fraud (37%) and phishing & credential harvesting (33%). By implementing the controls suggested by CERT NZ, most of these would have been prevented.
For example, some of the phishing & credential harvesting attacks took the form of users being directed to fake tech support and crypto wallet websites via a link(s) embedded in an email. After clicking the link and arriving at the site, users were asked to provide credential information which was then stolen and used by the attacker to access the genuine site. By incorporating multi-factor authentication, users could have mitigated this attack as they would have retained the second factor (e.g. a token, pin).
Other examples included users that were not directed to fake sites. Instead, the link initiated the installation of an application(s) that an attacker could use to monitor the user’s activity and steal information (e.g. a Key Logger). By implementing application whitelisting, this type of attack would not be successful as attempts to upload and install the attacker’s application would not be permitted by the device/system.
What is the most important security control?
In nearly all the attacks during Q4, the overarching security control that will prevent their success is instilling and nurturing a mature cyber security behaviour amongst people. For example, although not listed in the CERT NZ critical controls list (which focusses more on technical controls), both scams and fraud, as well as phishing and credential harvesting rely upon the actions of the user/victim to be successful. Whether this is clicking on a link or providing sensitive information to fake websites, users that understand how attacks work are more likely to evade and report them.