Current Activity


July 2017 New Zealand Information Security Manual

New Zealand Information Security Manual

The New Zealand Information Security Manual (NZISM) has been updated to include new guidance relating to cloud computing, independent assurance reports and cryptographic key management.

The July 2017 NZISM v2.6 updates the previous edition NZISM v2.5 which was published in July 2016.

The most important updates support secure adoption of cloud computing and are the result of extensive consultation with the Department of Internal Affairs (GCIO) and the government information security community.

They focus on the approach to cloud services (Section 2.3), independent assurance reporting (Section 5.8), and Key Management (Section 17.9) which support the DIA’s Cloud Computing and Productivity Initiative.

There are also a large number of supporting amendments, policy interpretations, minor editorial updates throughout the document as well as some new terms and definitions that have been included to clarify and to aid policy interpretation.

All new materials and amendments are designed to simplify approaches while maintaining existing levels of governance and assurance. 

Petya Ransomware Campaign

Petya Ransomware Campaign 

New Zealand cyber security agencies – the National Cyber Security Centre (NCSC) and CERT NZ - are aware of international reports of a new international ransomware campaign. The ransomware has been identified as “Petya”. 

The New Zealand National Cyber Security Centre (NCSC) provides services to government agencies, critical infrastructure providers and organisations of national significance, to assist them to defend against cyber-borne threats. The NCSC has released an advisory relating to this campaign directly to our customers.

Members of the public and other organisations wanting further information can refer to guidance on the CERT NZ website:

https://www.cert.govt.nz/it-specialists/advisories/advisory/new-petya-ransomware-threat

Response to WannaCry global ransomware attack

New Zealand cyber security authorities are aware of a significant international ransomware campaign - WannaCry.

The attack uses malware to encrypt victims data and demands victims pay a ransom to have their data restored.

The National Cyber Security Centre (NCSC) is working with the newly established CERT NZ to help protect New Zealanders from this form of attack.

The NCSC is taking steps to help increase the resilience of New Zealand’s nationally significant systems. These steps include technical measures and provision of mitigation advice.

The NCSC is aware that the ransomware exploits a known vulnerability in Windows operating systems and has previously provided advice to customers on addressing this vulnerability.

We are also working with CERT NZ to provide information on how individuals, small businesses and operators of larger systems can reduce their vulnerability to ransomware attacks.

Neither the NCSC or CERT NZ have received any reports of a New Zealand incidence of this ransomware attack.

If you experience such an attack you should contact https://www.cert.govt.nz/

CERT NZ have more information about this attack at https://www.cert.govt.nz/businesses-and-individuals/recent-threats/alert-wannacry-ransomware-used-in-large-scale-international-attacks

NCSC Cyber Threat Report 2015/16

The NCSC cyber threat report, contains information on cyber incidents over the reporting period from 1 July 2015 to 30 June 2016.

NCSC Cyber Security Advisory NCSC-C-2016-620

On 2 November 2016, the NCSC was made aware that a targeted spearphishing campaign against a New Zealand Health Sector organisation had been successful.

NCSC Security Advisory - NCSC-EV-2015-126

NCSC is aware of a recent campaign involving credential harvesting attacks in the form of spear phishing emails targeting different government agencies.

Notification of Bash Bug Advisory

A new vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems including Apple OSX.

Connect Smart

Connect Smart week runs from Monday 16 June to Friday20 June, and has been organised by the National Cyber Policy Office.

NCSC advisory - OpenSSL Vulnerability

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw allowing an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library.

Mobile Electronic Device

The NCSC has released an advisory for mitigating the risks associated with mobile electronic devices.

NCSC Plesk Advisory

A security researcher has released details of a significant zero day vulnerability in some versions of the Plesk server management software.

New Training to Address Cyber Security Risk

A new cyber security and information assurance course has been launched by the Wellington Institute of Technology (WelTec) in collaboration with the GCSB.

NCSC – 2012 Incident Report Summary

NCSC has reported a significant increase in reported attacks against NZ government agencies, critical national infrastructure, and private sector orgs in 2012.

Apple QuickTime 7.7.3 Released

Apple have released QuickTime 7.7.3 for Windows 7, Vista, XP SP2 or later, in order to address several critical security vulnerabilities.

Sophos Anti-Virus Vulnerabilities

A recent report has described multiple vulnerabilities that have been identified in Sophos Anti-Virus products, prompting Sophos to issue a security advisory.

Top 35 Mitigation Strategies Updated

The Defence Signals Directorate (DSD) have released an October 2012 update to their Top 35 Strategies to Mitigate Targeted Cyber Intrusions.

Revocation of Adobe Code Signing Certificate

Adobe has announced plans to revoke a code signing certificate that appears to have been misused. The attached advisory contains further information.

Java Vulnerability Patch Released

This advisory is to report that Oracle has now released a patch to address the recently reported Java vulnerability (CVE-2012-4681).

iOS Hardening Configuration Guide

The iOS Hardening Configuration Guide issued in March 2012 by DSD, for iPod Touch, iPhone and iPad devices running iOS 5.1, is available from the DSD website.

Product Support Advisory

The NCSC has released an advisory recommending the best practises for all New Zealand Government ICT systems in relation to product support.

ICO’s Practical IT Security Guidance

Adopting good security practises and securing information is as crucial for small to medium enterprises as it is the larger private and public sector agencies.