The NCSC uses this site to share relevant security information and news produced by the NCSC and other organisations.
A recent report by a security researcher has described multiple vulnerabilities that have been identified in Sophos Anti-Virus products, prompting Sophos to issue a security advisory. Sophos has reported that some of the vulnerabilities identified in the report have now been patched and that additional patches will be rolled-out to address the remaining vulnerabilities from November 28th 2012.
The NCSC advises that users of Sophos AV products follow best practice and ensure systems are fully patched and kept up to date, while applying appropriate security controls to mitigate these vulnerabilities. Links to the initial vulnerability report and Sophos’ security advisory are provided below.
Any queries regarding either of these issues should be directed to the NCSC.
The Defence Signals Directorate (DSD) of the Australian Department of Defence have released an October 2012 update to their Top 35 Strategies to Mitigate Targeted Cyber Intrusions.
The NCSC sees similar targeted attack patterns, to those DSD have observed in Australia, here in New Zealand.
There are no new entries on the list this year, but the ranking of some items has changed to reflect the most recent data available (including efforts to mitigate intrusions based on previous iterations of this list).
While mitigation action cannot prevent all malicious activity, the effectiveness of implementing the Top 4 Strategies on the list remains significant.
The latest release of the Top 35 Mitigation Strategies can be found here, along with further advice from DSD on mitigation techniques.
Increasingly online security threats are a growing concern for organisations across the globe. Recent trends observed include widespread sustained attacks on networks and the evolution of sophisticated techniques to penetrate digital defences and steal sensitive data. In addition, the growing popularity of new technologies like mobile devices, cloud services and virtualisation technologies, have encouraged cyber actors to diversify their methods and targets to take advantage of new vulnerabilities as they arise. In 2011, Sophos also reported a surge in attacks carried out as a form of protest action, commonly through website defacements, data theft or denial-of-service attacks conducted against both public and private organisations, in order to convey their message.
The 2012 Sophos Security Threat report provides useful insight into the ever-changing online security environment in 2011 as well as highlighting residual vulnerabilities still found in organisations which if addressed can significantly reduce the risks of a successful cyber-attack. The report can be downloaded from from the Sophos website.
Adobe has announced plans to revoke a code signing certificate that appears to have been misused. The attached advisory contains further information.
This advisory is to report that Microsoft has released an Out of Band patch to address the recently reported IE vulnerability (CVE-2012-4969). The patch provides a practical mitigation suitable for enterprise-wide application.
In response to vulnerabilities identified in certificates using RSA keys which are less than 1024 bits in length, Microsoft has issued a Security Update (2661254). NCSC recommends that organisations maintain fully patched operating environments at all times, as outlined in the Top 35 Mitigation's. The update is now available for download, to allow for it to be fully tested prior to its wider October release.
This advisory is to report that Oracle has now released a patch to address the recently reported Java vulnerability (CVE-2012-4681). The patch provides a practical enterprise level solution to mitigate the effects of this significant vulnerability.
The iOS Hardening Configuration Guide issued in March 2012 by the Australian Defence Signals Directorate (DSD) for iPod Touch, iPhone and iPad devices running iOS 5.1, is available from the DSD website. The NCSC concurs with the recommendations made in this guide and supports its use. A consumer guide detailing the findings and recommendations resulting from the DSD evaluation of iOS 5.1 is also available.
Any queries regarding either of these publications should be directed to the NCSC.
Data security and breaches of data are a major issue for organisations of all shapes and sizes. Organisations that understand how these breaches occur, where the risks lie and which practises can be best employed to mitigate them, are best placed to preserve the integrity of the data they hold.
The 2012 Verizon report into investigated data breaches highlights the current trends and key threats experienced in the online environment, as well as providing mitigation strategies for different forms of cyber threat. The report is available on Verizon’s website.
The NCSC has released an advisory recommending the best practises for all New Zealand Government ICT systems in relation to product support. This advisory is to highlight the importance for ICT products to be patched and maintained at all times, and the need to consider the replacement of systems which have reached their end-of-life (EOL) and may no longer be supported. You can access the full advisory below.