The NCSC uses this site to share relevant security information and news produced by the NCSC and other organisations.
10 March 2014
New standards for cyber security have been developed and agreed by operators of critical power infrastructure in New Zealand.
The voluntary standards have been developed by the National Cyber Security Centre, which is part of the Government Communications Security Bureau (GCSB), and New Zealand Control Systems Security Information Exchange forum.
The GCSB Director, Ian Fletcher says, “The national and economic security of New Zealand depends on the reliable functioning of critical infrastructure, like our electricity networks.
“We meet several times a year to share information about threats and vulnerabilities in industrial control systems, which allow centralised supervision and control of remote assets such as power stations. It is this commitment to information sharing and collaboration across the industry which has led to the development of the voluntary standards,” Mr Fletcher says.
“The energy sector forms a key part of New Zealand’s critical economic infrastructure and application of these voluntary standards will help increase the resilience of key systems and reduce their vulnerability to cyber-borne threats.
“The development of these standards is a tangible demonstration of effective collaboration between government and the private sector, and those involved are to be commended for their initiative and commitment,” he says.
While these nine standards have been developed for the power sector, they can be applied to all industries that operate industrial control systems. It is intended that they will be a starting point for further development and improvement.
As part of the GCSB’s commitment to work with network operators, a draft of the Guidance paper for the Network Security section (part 3) of the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) was released to network operators for consultation on the 17th of February 2014.
The draft Guidance provides an overview for network operators of the process they will need to follow under the Act, detail about the information they will need to provide and proposes some exemptions to the duty to notify.
The consultation period will last for 5 weeks until the 28th of March, at which point the feedback will be collated into a final version which will be shared with network operators, before being released to the wider public on the NCSC website in advance of the TICSA coming into effect on the 11th of May 2014.
If you are a network operator as defined in the TICSA, and you have not received a copy of the draft Guidance, please contact the NCSC via email@example.com to obtain a copy.
The NCSC has released an advisory for mitigating the risks associated with mobile electronic devices. You can access the full advisory below.
If you have any questions regarding this advisory, please contact the NCSC at firstname.lastname@example.org
Mozilla has released a Security Advisory which details a number of vulnerabilities in several versions of the Firefox Internet browser and Thunderbird email client. The advisory outlines multiple vulnerabilities in the following products:
• Firefox versions prior to 22.0
• Firefox Extended Support Release (ESR) versions prior to 17.0.7
• Thunderbird versions prior to 17.0.7
• Thunderbird Extended Support Release (ESR) versions prior to 17.0.7
These vulnerabilities could allow remote code execution, cause affected applications to crash, potentially leak sensitive information, and allow privilege escalation or unauthorized access in a number of different contexts.
Full details about the vulnerabilities can be found on Mozilla’s website.
NCSC recommends that administrators, where possible and in accordance with their organisational policies, update Firefox and Thunderbird to the current latest available version 22.0 and 17.0.7 respectively.
A security researcher has released details of a significant zero day vulnerability in some versions of the Plesk server management software. The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Windows and other types of Unix have not currently been tested to see if those configurations are vulnerable as well.
Plesk is a control panel that is commonly used to manage servers through a graphic interface. Plesk environments which maintain the versions identified above could be exploited to allow an attacker to compromise and control managed servers by gaining the privileges of authorised users and take control of the affected system.
Trend Micro has published further information on the report which can be found here.
NCSC recommends that, where practical and with the appropriate due diligence, network operators upgrade to a version later than those vulnerable, as later releases are not currently being reported as vulnerable to this specific issue.
The purpose of this advisory is to provide guidance for securing government public-facing networks and systems.
Cyber Security Awareness Week (CSAW) begins on Monday, 27 May. CSAW is being run by NetSafe and a number of events are planned.
In support of NetSafe, the NCSC encourages home computer users to participate in these events and ensure that they are adopting the best possible security practices. A full list of events can be found here: http://www.securitycentral.org.nz/events-and-resources/cyber-security-aw...
3 May 2013
Cyber planning course for key NZ infrastructure orgs
The National Cyber Security Centre (NCSC), with the CERT Program of Carnegie Mellon University’s Software Engineering Institute (SEI), is offering spaces on a one day course for Government departments and critical infrastructure operators on how to respond to cyber attacks.
The National Cyber Security Centre is part of the Government Communications Security Bureau (GCSB), which has a role to protect government systems and information, and to work with critical infrastructure operators to help them improve their computer and network security.
GCSB Director Ian Fletcher says, “We are pleased to be able to offer this training for government and the private sector in partnership with Carnegie Mellon University.
“The Carnegie Mellon Software Engineering Institute is regarded as the world leading training institute in this field. We have developed this Incident Management programme specifically for New Zealand to support our important organisations develop Computer Security Incident Response Teams (CSIRTs).
“The teams will have an agreed method and format for responding to suspected threats, as well as setting up trusted communication channels and collaboration across New Zealand. It also involves developing training and mentoring to ensure the expertise and skills base is grown.
“Cyber attacks are becoming more advanced and sophisticated, and increasingly are targeting intellectual property and other proprietary information held by businesses as well as individuals.
“There’s no reason to believe New Zealand is any different from the rest of the world. We are seeing more incidents reported in New Zealand, and we can benefit from having a standardised cyber security incident response method and format.”
The courses are being run in Auckland, Wellington and Christchurch in mid June.
If organisations are interested in taking part, with no charge for attending the sessions, you can contact email@example.com
Media contact: Antony Byers 04 463 1667 or 021 241 7449
A new cyber security and information assurance course has been launched by the Wellington Institute of Technology (WelTec) in collaboration with the Government Communications Security Bureau (GCSB).
Speech given by the GCSB Director Ian Fletcher at the Gallagher Security conference held in Hamilton on 11 March 2013