NZ's cybersecurity threats - Expert Q&A

Monday, 12 December 2016, 1:15 pm
Press Release: Science Media Centre

NZ's cybersecurity threats - Expert Q&A
12 December 2016

With the 14th annual Privacy, Security and Trust conference kicking off in Auckland today, the Science Media Centre asked cybersecurity experts about the biggest threats facing New Zealand.

From large-scale hacking, to ransomware and unsecured WiFi, the experts outlined a series of threats and what individuals, businesses and the Government should be doing to protect against cyber threats.

Please feel free to use these comments in your reporting.This is an abridged version - you can access the full version on scimex.org. For conference related queries contact Unitec's Megan Fowlie on +64 21 990 673.

- Dr Ryan Ko, University of Waikato
- Professor Hossein Sarrafzadeh, Unitec
- Dr Henry (Hank) Wolfe, University of Otago
- Dr Ian Welch, Victoria University of Wellington
 
Dr Ryan Ko, Head of Cyber Security Lab, University of Waikato:

Is the Government's Cyber Security Strategy enough to offer good protection against cyber attacks at a national level? Are there any significant holes in it?

"A strategy needs effective implementation. The National Cyber Policy Office has done great work in developing the second version of this strategy. The strategy was developed through several rounds of consultation with public and private stakeholders.

"It provides a coordinated approach, which involves all stakeholders and we need to acknowledge this – not many countries in the world are able to achieve this.

"An effective implementation will mean that every New Zealander will be equipped with basic levels of cyber resiliency or awareness. In my opinion, it will mean that New Zealand will have its own form of a 'cyber civil defence', with the right tools to get themselves out of the cybersecurity incidents that they encounter."

Just about everyone is now connected to the internet via a laptop or smartphone - what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce)

"There are two big threats facing individuals now. The first are ransomware (e.g. TorrentLocker, variants of CryptoLocker, Locky, etc) which will encrypt the information of a user to make the computer or laptop unusable, and only unlock the information when the criminals receive the ransom payment (usually in the form of bitcoins).

"The second threat we face as individual users are the human-nature related threats, which we call 'social engineering'. With the promise of free wifi, or an email which provides some alarming information, an unknowing or trusting user will click on a malicious link which will result in a download and sometimes, execution of malicious software which will take over the computing device."

Are New Zealand businesses doing enough to combat cybersecurity threats?

"At the moment, New Zealand businesses are not doing enough to combat cybersecurity threats. It is encouraging to see organisations such as NetSafe, NCPO, InternetNZ, Office of the Privacy Commissioner, and the Institute of Directors roll out awareness campaigns relating to these. Yet we are still at a stage where some IT professionals will have graduated through traditional computer science or ICT training that did not contain security design or security-minded curricula.

"Small and medium enterprises form 97 per cent of New Zealand's economy but most of them are not well aware or equipped to respond to such threats. In 2014 I conducted a survey together with market research company Colmar Brunton for Vodafone, called 'Cyber Security NZ SME Landscape'. It found that while companies with defined IT security policies are confident in their understanding of potential cyber threats, as many as two in ten do not have guidelines on what to do if their company was attacked by a hacker or a serious malware.?

Professor Hossein Sarrafzadeh, professor of computer science, director of the Centre of Computational Intelligence for Cyber Security, Unitec:

Over the last year, what big episodes have we seen in cybersecurity globally that point to the most significant emerging threats?

"As recently as October there was a series of distributed denial of service attacks that targeted a major Domain Name System (DNS) services provider (Dyn). This resulted in widespread disruption, preventing users from accessing major websites such as Twitter, Spotify and PayPal. This attack was the result of a large number of insecure internet connected devices, also known as the internet of things (IoT). These devices were controlled by hackers and used to act as cannons to direct a large amount of bogus internet traffic and cause disruption.

"We are seeing a rapid growth in the sale and distribution of IoT devices that are not properly secured. As more objects become connected to the internet the opportunity for attacks increases. Here in New Zealand, we are seeing a rise in ransomware attacks and whaling attacks. Ransomware attacks are mainly targeting the health sector.

"Another emerging threat is interference with political and financial systems. Recent attacks on SWIFT are very worrying and could seriously threaten our financial systems. In the last month alone, we have seen Tesco bank have 2.5 million pounds stolen from 9000 of its customers, coordinated cyber-attacks in the UK and Germany that left more than 1 million people without internet access. This has potentially large geopolitical implications."

Are New Zealand businesses doing enough to combat cybersecurity threats?

"This is an ongoing and evolving threat and so there will always be opportunities for improvement. Many larger organisations have a dedicated cyber security team that raise awareness within the company, develop their security architecture and monitor their network for suspicious activity. Many organisations also share threat intelligence information to keep each other updated with cyber threats in real time.

"The challenge, however, sits with small to medium businesses who may not have the individual expertise within their teams or the budget to effectively deal with cyber threats. Not only may they lack the resources, but also they may lack security technologies such as Security Information and Event Management (SIEM) softwares, which are prohibitively expensive for most organisations. For these reasons, they are increasingly becoming targets for cyber terrorism.

"New Zealand is a country made up of mostly small to medium businesses and so it is critical for our country as a whole that we do more to support these businesses Simple things like employee training, maintenance of anti-virus software and health checks of a business’ systems will decrease their risk of being attacked."

Dr Henry (Hank) B. Wolfe, Associate Professor, Information Science, University of Otago:

Just about everyone is now connected to the internet via a laptop or smartphone - what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce)

"In my humble opinion, the cell phone presents the most ubiquitous threat to everyday computer usage. In four of the main bus routes in Dunedin, we have identified 7,499 unique Wi/Fi sites. People, as a matter of routine, connect to whatever Wi/Fi site is available wherever they are and perform private actions without any concern as to why they are receiving this service, essentially free.

"In this life, if there is one given, that has to be that nothing is free. The cost of providing the Wi/Fi service must be born by someone or some organisation. Why would they provide that service to the public without receiving something for it?

"How many of these 7,499 sites are observing the user’s activity and recording it for some unknown purpose? That purpose could be selling the information or making use of the information captured for some illegal purpose. There are no real safeguards."

Looking out to 2020, what are the biggest emerging cybersecurity threats that you see?

"More and more exploits are being developed for cell phones because this is an information-rich environment without much in the way of protection. There are 7.3 billion active mobile accounts now and that number is growing. The providers and developers spend an inordinate amount of time making their products so convenient that they become indispensable.

"They seem to spend very little time trying to secure the environment. The cell phone is the most ubiquitous surveillance device ever conceived by man. There may come a time, if we allow it, where everyone MUST have a cell phone in order just to live. That would be sad."

Generally, who are these cyber attackers, and how has the nature of cyber attacks changed in the last decade?

"The bad guys have figured out that going to a bank with a gun nets them $7,500 and 5-10 years in jail (90 per cent plus chance of getting caught and convicted). Going to the bank via a computer nets an average of $250,000 and has a reduced exposure to being caught.

"Computer crimes, in general, are punished at a much-reduced level as compared to physical crime. Today, everyone wants your data and is willing to pay for it. Privacy is archaic and most young people don’t value it. Therefore, the bad guys want to compromise big data for ransom, resale."

Dr Ian Welch, Associate Professor, School of Engineering and Computer Science, Victoria University of Wellington:

Just about everyone is now connected to the internet via a laptop or smartphone - what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce).

"Ransomware remains a major threat to individuals. Ransomware is software designed to look benign, that is delivered via email or messenger to victims who are tricked into installing. The software encrypts their files and instructs users to send a ransom in bitcoins.

"Ransomware is very profitable due to the targeted nature of the attack resulting in a high conversion rate of contacts to payback (the emails are more sophisticated than the Nigerian prince type scams) and the fact that it pushes the costs of collecting the money onto the victim.

"Ransomware takes advantage of two things: (1) technical -- operating systems that provide too many privileges that can be exploited (compounded by home users often using the administrator user as their main profile); (2) social -- people find it hard to evaluate what is and isn’t a genuine request in the absence of training, and also attackers exploit natural cooperative behaviours that have served us well in the past but don’t always work so well in the cyber world."

What promising research are you seeing that points the way forward to more effective cybersecurity protection?
"Data mining and artificial intelligence (AI) is still a big help in the fight against new threats, in particular transfer learning that allows AI systems to transfer previous learnings to new domains. Very important in a world where attackers change their methods day by day.

"Technologies such as software defined networking; building systems that dynamically reconfigure the network in the face of threats. Similar systems do exist (CISCO for example) but these are quite inflexible and require you to use the one vendor everywhere. We want open and transparent solutions."

© Scoop Media

Science Media Centre NZ

Our aim is to promote accurate, evidence-based reporting on science and technology by helping the media work more closely with the scientific community.

The Science Media Centre is New Zealand's only trusted, independent source of information for the media on all issues related to science. Thousands of news stories providing context from and quoting New Zealand researchers have been published as a direct result of our work.

Contact Science Media Centre NZ

• Website - www.sciencemediacentre.co.nz
• Email - smc@sciencemediacentre.co.nz
• Phone - +64 4 499 5476
• Mobile - +64 21 859 365
• Facebook
• Twitter - @smcnz
• YouTube
• Postal Address - PO Box 598, Wellington 6140