• Our Vision

    To be the trusted guardian of
    New Zealand's
    Information Assets

  • Our Goal

    No advanced, technology-borne compromise of the most significant national information infrastructures by June 2016.

NCSC name used in new twist on telephone scam

NCSC name used in new twist on telephone scam

Telephone scammers have used the National Cyber Security Centre’s (NCSC) name in a new twist on a known scam.

The NCSC has received a report of scammers telephoning a private number alleging the subscriber has been visiting “illegal websites”, and seeking personal information such as physical address and IP address.

A spokesperson for the NCSC says the Centre provides enhanced services to government agencies and nationally significant organisations to assist them to defend against cyber-borne threats.

“We do not contact private individuals or organisations, seeking personal information. This is just another version of known scams where people are contacted by scammers, alleging to be from an official organisation or reputable supplier, in an effort to get access to computer systems or personal information which can then be used for illegal activity,” the spokesperson says.

More information about telephone and online scams is available at:





Anyone contacted by scammers alleging to be from the NCSC should not provide any information and should report the contact to Netsafe.

read more

Cyber incidents for year to 30 June 2015

Media Statement

9 December, 2015

190 cyber incidents for year to 30 June 2015

The National Cyber Security Centre (NCSC) recorded a total of 190 cyber security incidents for the 12 months to 30 June 2015.

GCSB Acting Director, Una Jagose says that of the 190 recorded incidents, 114 were identified as targeting government systems, 56 targeting private sector – with a further 20 where the sector targeting was not identified in the reporting.

Ms Jagose said that while the total number of incidents is slightly lower than for the 12 month period to December 2013, where 219 incidents were recorded, this was likely to be due to changes to recording and reporting practices, rather than a reduction in incidents.

“In fact I believe the reverse to be true and that serious incidents are continuing to increase.  Over the past few months the NCSC incident response team is recording an average of one serious incident a day,” she says.

Of total incidents recorded by the NCSC for 2014/15 period spear phishing made up 30.5 percent, with 58 incidents, followed by network intrusion/compromise with 21.5 percent (41 incidents) and botnets, 9.5 percent (18 incidents).

Denial of service and drive by download incidents were both equal at 5.8 percent, with 11 recorded incidents each, followed by credentials compromise with 9.

The NCSC 2014/15 statistics record significantly fewer spam, and scam and web site defacement incidents than in previous years. 

The NCSC recorded just 7 scam/spam incidents in the 2014/15 period, which was just 4 percent of reporting, compared with 30 percent and 31 percent of reporting in the 2013 and 2012 calendar years.

There were 35 other recorded incidents, including virus (2), website hack (5) and internal misuse/breach/loss of device (4).

Ms Jagose, says the slight reduction in overall incidents (when compared to previous calendar year figures) is likely to be as a result of chances in approach - both victims and ours - rather than actual incident numbers.

“For example the reduced reporting of spam, scam and website defacement incidents is likely to be as a result of these type of incidents being now being reported to other organisations like Netsafe instead of the NCSC.

“We have also made changes to our own recording approach, specially relating to less advanced cyber threats, which will have reduced the total slightly,” she says.

The NCSC is an operating unit of the Government Communications Security Bureau.


Definition of Incident Types

Cyber Security Incident

The NCSC defines an incident as an occurrence or activity that impacts on the confidentiality, integrity or availability of an information system (infrastructure).

Network Intrusion

A network intrusion is an incident of unauthorised access to a computer network by malicious actors.


Botnet is a group or network of machines that have been infected with malicious software and are controlled as a group without the owner’s knowledge. These are usually used to send spam or initiate DDoS attacks.

Drive-by download

A drive-by download usually occurs when a user visits a website they have been directed to by a threat actor, generally via a phishing or spear phishing email.  The download will usually take advantage of a security flaw in a browser, app, or operating system that is out of date. This will be without the owner’s knowledge or approval with the objective to install malware.

Phishing/Spear phishing

Email, often a carefully engineered – to reflect a particular interest of the receiver -  which contain a threat, or a hyperlink to a threat, which when opened enables the adversary to access the user’s device or network.

Denial of Service

A denial-of-service (DoS) attack is where an attacker prevents legitimate users from accessing information or services through a flaw in the service, e.g. by “crashing” a web server.  A distributed denial-of-service (DDoS) attack is a more blunt form of this where the attacker uses multiple computers to flood a service to achieve the DoS outcome.  The computers involved are usually co-opted in some way, either by being part of a botnet or by unwittingly responding to a seemingly legitimate request that is forged so that the victim is flooded with responses.


read more

NCSC Security Advisory – NCSC-ADV-2015-0243


The National Cyber Security Centre (NCSC) advises that it is noting an increase in attacks employing a variety of known Exploit Kits which have infected websites in New Zealand.

Exploit kits are a type of malicious toolkit used to exploit security holes found in browsers and browser plug-ins (Adobe Flash, for example) for the purpose of spreading malware. 

Exploit kits pose a serious threat to all computer users ranging from private users to corporate networks.  Exploit kits can be more difficult to detect as they are often triggered by visiting legitimate, compromised web pages.  

It is most important to ensure that browsers and browser plug-ins are updated regularly to the latest versions.  Antivirus applications and signatures should also be kept up to date. 

NCSC has noted the following redirect sites hosting exploit kits, and where possible these should be blocked by network administrators: 






















The following IP addresses have been noted as hosting exploit kits. Communication to the following IP addresses may indicate exploit kit activity but blocking should only be considered on a case by case basis as IP addresses may have multiple users or be reassigned.


The NCSC can be contacted by email via incidents@ncsc.govt.nz or by phone on: 04 498 7654.

read more

November 2015 New Zealand Information Security Manual

New Zealand Information Security Manual

The November 2015 NZISM has now been published.

This version of the NZISM incorporates some new material, principally on Session Border Controllers. A small number of existing controls have seen wording adjustments and enhancements to improve clarity.  Additional explanatory material has been added throughout the document together with any typographical corrections that have been identified. 

The document has been split into two parts for this release. 

You can view the November 2015 NZISM parts 1 & 2 and the November 2015 Change Register here.

As always, comments and suggestions for improvements are welcome.  Please direct these to ism@gcsb.govt.nz

read more

Reporting an Incident

If your organisation has encountered or suspects a cyber-security incident, please complete and return the Cyber Security Incident - Report Form. If you require assistance in dealing with the incident, please complete the Cyber Security Incident – Request for Assistance Form. If required, you can speak with us directly on (04) 498-7654.

Some Interesting Stats

In the 12 months to 30 June 2015 the NCSC recorded a total of 190 incidents. Of those 114 were identified as targeting government systems, 56 targeting private sector – with a further 20 where the sector targeting was not identified in the reporting. Of total recorded incidents for the 2014/15 period spear phishing made up 30.5 percent, with 58 incidents, followed by network intrusion/compromise with 21.5 percent (41 incidents) and botnets, 9.5 percent (18 incidents). For the full article, see Cyber incidents for year to 30 June 2015.

According to Intel Security, New Zealand songstress Lorde ranks in the Top 10 of the "World’s Most Dangerous Celebrities" to search for online. Cybercriminals take advantage of interest in celebrities by filling search results with links to sites that may host malware and other online threats that can steal personal data and harm our devices. Intel Security conducted a study to determine the number of risky sites that would be generated in search results including a celebrity name and commonly searched terms.  Lorde ranged number nine in Intel’s 2015 list.  For the full article, see The 2015 Most Dangerous Celebrity.

The median number of days a cyber threat was present in victims system before being detected was 205 according to Mandiant’s 2015 MTrends report.  The report says 69 percent of victims were notified of the threat by an external entity.