2016-12-14

With the 14th annual Privacy, Security and Trust conference held in Auckland this week, the Science Media Centre asked cybersecurity experts about the biggest threats facing New Zealand. Please feel free to use these comments in your reporting.

– Dr Ryan Ko, University of Waikato

– Professor Hossein Sarrafzadeh, Unitec

– Dr Henry (Hank) Wolfe, University of Otago

– Dr Ian Welch, Victoria University of Wellington

Q&A with Dr Ryan Ko

Dr Ryan Ko

Head of Cyber Security Lab, University of Waikato

Over the last year, what big episodes have we seen in cybersecurity globally that point to the most significant emerging threats?

“The Mirai botnet attack was probably the most devastating cybersecurity attack in recent times. It was not only the largest distributed denial of service (DDoS), disrupting major ISPs and companies worldwide, it also brought to light the dangers of insecure, vulnerable Internet of Things devices.”

Is the Government’s Cyber Security Strategy enough to offer good protection against cyber attacks at a national level? Are there any significant holes in it?

“A strategy needs effective implementation. The National Cyber Policy Office has done great work in developing the second version of this strategy. The strategy was developed through several rounds of consultation with public and private stakeholders.

“It provides a coordinated approach, which involves all stakeholders and we need to acknowledge this – not many countries in the world are able to achieve this.

“An effective implementation will mean that every New Zealander will be equipped with basic levels of cyber resiliency or awareness. In my opinion, it will mean that NZ will have its own form of a ‘cyber civil defence’, with the right tools to get themselves out of the cybersecurity incidents that they encounter.”

Just about everyone is now connected to the internet via a laptop or smartphone – what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce)

“There are two big threats facing individuals now. The first are ransomware (e.g. TorrentLocker, variants of CryptoLocker, Locky, etc) which will encrypt the information of a user to make the computer or laptop unusable, and only unlock the information when the criminals receive the ransom payment (usually in the form of bitcoins).

“The second threat we face as individual users are the human-nature related threats, which we call ‘social engineering’. With the promise of free wifi, or an email which provides some alarming information, an unknowing or trusting user will click on a malicious link which will result in a download and sometimes, execution of malicious software which will take over the computing device.”

What are the biggest threats cyber attacks pose to critical infrastructure in New Zealand?

“The biggest threats are probably the inability to respond quickly and effectively to attacks on the critical infrastructure in New Zealand. The recent establishment of the New Zealand Computer Emergency Response Team (CERT) is a step in the right direction but more capabilities, in terms of tools and awareness, are needed for all public and private stakeholders – big and small. This will allow them to be able to respond and get back to business quickly.”

Are New Zealand businesses doing enough to combat cybersecurity threats?

“At the moment, New Zealand businesses are not doing enough to combat cybersecurity threats. It is encouraging to see organisations such as NetSafe, NCPO, InternetNZ, Office of the Privacy Commissioner, and the Institute of Directors roll out awareness campaigns relating to these. Yet we are still at a stage where some IT professionals will have graduated through traditional computer science or ICT training that did not contain security design or security-minded curricula.

“Small and medium enterprises form 97 per cent of New Zealand’s economy but most of them are not well aware or equipped to respond to such threats. In 2014 I conducted a survey together with market research company Colmar Brunton for Vodafone, called ‘Cyber Security NZ SME Landscape’. It found that while companies with defined IT security policies are confident in their understanding of potential cyber threats, as many as two in ten do not have guidelines on what to do if their company was attacked by a hacker or a serious malware.

What measures can government and industry employ to protect their data and citizens’ data?

“In the short term, we need to increase the roll out of awareness and training programmes to all data stakeholders in government and industry. This comes in the form of posters, advertisements, workshops, and self-run audits for cybersecurity readiness. The government needs to educate generations of cyber-resilient citizens. We need to move away from the stereotype that cybersecurity is only for ‘geeks’. If you use a mobile device or a laptop, you are a stakeholder! You do not need to know how to configure systems but you need to know how to be vigilant in digital environments.

“In the longer term, we need to invest more into cybersecurity innovation which enables people to ‘help themselves’ when they are faced with a cyber security situation. We need more programmes like STRATUS , which aims to ‘return control of data to users’ – resulting in a remote data kill switch which enables the users to know, act and/or attribute, in data breach situations.

“I am worried that the society tends to overlook the important area of long-term research, which may be able to reverse the current cat-and-mouse game in cyber security.”

Generally, who are these cyber attackers, and how has the nature of cyber attacks changed in the last decade?

“The attackers have changed from hobbyists and activists, to criminals in the last decade.

“Ransomware, for example, is run by organised cyber criminals. It is even possible to guess where they are from, because sometimes, they take a break during certain holiday seasons. Most of our payments are now digital, so if you are a criminal, it is natural that you will focus on cyber attacks.”

Looking out to 2020, what are the biggest emerging cybersecurity threats that you see?

“The large-scale attacks like Mirai will continue to cripple critical infrastructure. There is no effective way to maintain resiliency and recover quickly from outages. This may mean the inability to transact online and will result in serious implications for the economy.

“Another big threat is the way the Internet of Things devices are designed. They are mostly insecure or unpatched, and they may become an Internet of Threats, which are controlled by malicious parties.”

Is cyberwarfare an issue we need to think about in New Zealand? Should we be considering it as a tool in our defence arsenal?

“We are all on the same ‘waka’ when we use the Internet. New Zealand is commonly used as a testbed, even in the area of cyber crime. We need to develop skills and technology to protect our nation against this category of threats.”

What promising research are you seeing that points the way forward to more effective cybersecurity protection?

“The most promising research areas are homomorphic encryption, which allows us to preserve privacy while encrypted data becomes processed in third-party environments, and data provenance – which looks at ‘what has happened to my data’.

“We cannot assume that devices processing our data will be protected but we can assure better security when we protect the data – the real asset.”

Q&A with Professor Hossein Sarrafzadeh

Professor Hossein Sarrafzadeh

Professor of Computer Science, Director, Centre of Computational Intelligence for Cyber Security, Unitec

Over the last year, what big episodes have we seen in cybersecurity globally that point to the most significant emerging threats?

“As recently as October there was a series of distributed denial of service attacks that targeted a major DNS services provider (Dyn). This resulted in widespread disruption, preventing users from accessing major websites such as Twitter, Spotify and PayPal. This attack was the result of a large number of insecure internet connected devices, also known as the internet of things (IoT). These devices were controlled by hackers and used to act as cannons to direct a large amount of bogus internet traffic and cause disruption.

“We are seeing a rapid growth in the sale and distribution of IoT devices that are not properly secured. As more objects become connected to the internet the opportunity for attacks increases. Here in New Zealand, we are seeing a rise in ransomware attacks and whaling attacks. Ransomware attacks are mainly targeting the health sector.

“Another emerging threat is interference with political and financial systems. Recent attacks on SWIFT are very worrying and could seriously threaten our financial systems. In the last month alone, we have seen Tesco bank have 2.5 million pounds stolen from 9000 of its customers, coordinated cyber-attacks in the UK and Germany that left more than 1 million people without internet access. This has potentially large geopolitical implications.”

Is the Government’s Cyber Security Strategy enough to offer good protection cyber attacks at a national level? Are there any significant holes in it?

“The Government Cyber Security Strategy is a step in the right direction for local businesses and the country as a whole. The New Zealand government has recognised that cybersecurity is not an issue that organisations can tackle independently. They have also acknowledged that cybercrime cost the New Zealand economy $257 million last year.

“One of the highlights of the strategy is the formation of a national CERT and the allocation of $22 million to provide a central point of contact for organisations to report incidents, as well as provide organisations an ability to access some intelligence about real-time cyber attacks.

“The execution of the strategy is still in its early days, but we anticipate opportunities to embed cyber security awareness and education as a formal programme within schools and Universities. This investment is essential although more needs to be allocated to this very vital area.”

Just about everyone is now connected to the internet via a laptop or smartphone –what are the biggest threats we face as individual internet users? (e.g. apps, unsecured wifi, use of e-commerce)

“People who use a single set of credentials for usernames and passwords across multiple online accounts risk having their other accounts compromised if one of these accounts is hacked. To mitigate this risk, we would encourage users to use different passwords for each account, and consider enabling two-factor authentication, such as Google authenticator, to prevent hackers from accessing their information if their credentials are compromised. I would recommend password management software be used by everyone.

“Another emerging trend is the significant increase in the propagation of malware, particularly ransomware, often in combination with phishing attacks. These types of malware, will encrypt all files, effectively holding your information hostage. The malware then redirects you to a payment website and forces you to make a payment (in the cryptocurrency bitcoin!) before unlocking your files.

“This can be particularly devastating for people who lose all of their family photos and other valuable information. Ransomware can also target externally connected storage and even your dropbox or other cloud storage drives!

“The evolving complexity of malware highlights the need to be able to deal with ongoing new threats; this means more than just protection but ongoing defence. Hackers will get in and so tools and strategies capable of finding hackers in real time within networks and catching them before they do damage need to be employed.”

What are the biggest threats cyber attacks pose to critical infrastructure in New Zealand?

“The biggest concerns around threats could be in relation to our power infrastructure. If a hacker gets in, there is a risk that the critical power infrastructure will be shutdown, causing a widespread outage across the country. This has serious implications for hospitals, transportation and our food supply, to name a few.

“Safety is another huge threat. For instance, hackers could potentially generate an attack that could cause a generator to overheat and explode, causing civilian injury.”

Are New Zealand businesses doing enough to combat cybersecurity threats?

“This is an ongoing and evolving threat and so there will always be opportunities for improvement. Many larger organisations have a dedicated cyber security team that raise awareness within the company, develop their security architecture and monitor their network for suspicious activity. Many organisations also share threat intelligence information to keep each other updated with cyber threats in real time.

“The challenge, however, sits with small to medium businesses who may not have the individual expertise within their teams or the budget to effectively deal with cyber threats. Not only may they lack the resources, but also they may lack security technologies such as Security Information and Event Management (SIEM) softwares, which are prohibitively expensive for most organisations. For these reasons, they are increasingly becoming targets for cyber terrorism.

“New Zealand is a country made up of mostly small to medium businesses and so it is critical for our country as a whole that we do more to support these businesses Simple things like employee training, maintenance of anti-virus software and health checks of a business’ systems will decrease their risk of being attacked.”

What measures can government and industry employ to protect their data and citizens’ data?

“The formation of a CERT is a good step in the right direction, and we will be keeping a close eye on developments.

Formalising a set of compliance standards could be useful – having these mandatory for organisations that host sensitive data, particularly the health care and education industries, would contribute to raising the baseline of security of the country.

Enforcing a strong set of security controls around user access to data, backed with active and regular monitoring of access would help.

Consider building a ‘perimeter defence’ around critical business assets hosting sensitive data, by hosting these assets on a different network segment compared to other assets.

Educating the general public with advertising and education in schools. There are police and government initiated campaigns around protecting ourselves physically and protecting our property from criminals, but no campaigns to date around protecting ourselves from criminals online.”

Generally, who are these cyber attackers, and how has the nature of cyber attacks changed in the last decade?

“The cyber attackers range from nation states or state-sponsored attackers, to organised criminals, hacktivists and script-kiddies. It is very hard to tell as they are operating in the virtual space.  The barriers to entry for this type of crime are relatively low compared with other criminal activities, such as the drug trade.

We are now seeing far more cases of organised crime and state-sponsored attacks compared to previous years.

Given that the internet infrastructure has evolved and we have more and more devices connected online, the surface area for cyber attacks has increased radically.

Previously, we did not have to worry about internet of things – now we do.

Malware has now become dynamic, to the point that they actively morph or change state to bypass antivirus detection.

There were very few smartphones ten years ago; social media and online advertising were also in their infancy. In addition to hacking websites and social media platforms, hackers can also hijack advertisement platforms to distribute malware.

The use of encryption has become more prominent across the internet. While encryption can be used for protection, it is also used by hackers to mask their malicious activity and to access the darknet and its illegal trading websites.”

Looking out to 2020, what are the biggest emerging cybersecurity threats that you see?

“Internet of Things will continue to grow, but will almost certainly remain insecure by design, increasing our vulnerability to attacks. One example is that as autonomous vehicles become mainstream there is the possibility for hackers to intercept the vehicle’s system if they are not properly designed.

There are many threats associated with cloud computing and as cloud computing becomes more adopted, these threats increase. For instance, the infrastructure-as-a-service provider Code Spaces went out of business when a hacker gained access to their cloud management panel and deleted all of their virtual servers along with their customer data. There are also unscrupulous cloud service providers. We also need to be more cautious about where our data is being hosted.

With the increasing use of bring-your-own-devices, we need to address how can we better secure these, as people are more likely than ever to use sensitive corporate data on their personal devices.

Social engineering will continue to be an effective mechanism for hackers – after more than a decade, hackers still rely on phishing.”

Is cyberwarfare an issue we need to think about in New Zealand? Should we be considering it as a tool in our defence arsenal?

“Yes. It is important for New Zealand to continue to build capability in this area just as other countries such as the US, Russia and China are investing heavily. Developed countries are increasingly reliant on digital infrastructures. Attacking these systems has real world consequences and the potential to cripple cities and bring down corporations and Governments.

“New Zealand is well placed as a trusted nation to move into the area of cyberdefence and make economic and security benefits from this area. It is also essential for us to create the human capital necessary to build such a capability. This needs to be done sooner rather than later as we may lose the opportunities that exist in this area.”

What promising research are you seeing that points the way forward to more effective cybersecurity protection?

“There are some interesting things happening in the antivirus and endpoint security space. Antivirus is moving from the traditional signature-based model of generating a known hash for a file, to more use of behavioural analysis – stopping malware in its tracks, or at least limiting the damage that it can do – before it triggers a malicious action.

Cyber Threat Intelligence – the automated exchange of cyber threat information across (STIX and TAXII standards).

IoT security is another area of research that is gaining more and more significance

Government funding needs to be invested more carefully and effectively. More experienced researchers should be given the opportunity to lead research in this area.

This growing illegal trade also presents opportunities- 3.3 billion US dollars were invested by Venture capitalists in cybersecurity in 2015 alone, double the amount in 2013, and four times the amount invested in 2010.

Q&A with Dr Henry B. Wolfe

Dr Henry B. Wolfe

Associate Professor, Information Science, University of Otago

Over the last year, what big episodes have we seen in cyber security globally that point to the most significant emerging threats?

“It appears that large databases are being targeted again and again. Data captured from these sites have value for resale and for blackmail. There’s a site called “World’s Biggest Data Breaches”.

“One example is AshleyMadison.com where 37 million records were compromised. The site purports to be a meeting place for those who want to enter into extra-marital affairs. Marriages were ruined and people committed suicide because of this single episode.”

Is the Government’s Cyber Security Strategy enough to offer good protection cyber attacks at a national level? Are there any significant holes in it?

“This strategy is very well done but is something that must be constantly changed as circumstances warrant. The new version must be circulated immediately after the last change.

“I’m not so sure that this reaches the audience (which should be all businesses and individuals who are interested). The dissemination process could be improved.”

Just about everyone is now connected to the internet via a laptop or smartphone – what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce)

“In my humble opinion, the cell phone presents the most ubiquitous threat to everyday computer usage. In four of the main bus routes in Dunedin, we have identified 7,499 unique Wi/Fi sites. People, as a matter of routine, connect to whatever Wi/Fi site is available wherever they are and perform private actions without any concern as to why they are receiving this service, essentially free.

“In this life, if there is one given, that has to be that nothing is free. The cost of providing the Wi/Fi service must be born by someone or some organisation. Why would they provide that service to the public without receiving something for it?

“How many of these 7,499 sites are observing the user’s activity and recording it for some unknown purpose? That purpose could be selling the information or making use of the information captured for some illegal purpose. There are no real safeguards.”

Are New Zealand businesses doing enough to combat cyber security threats?

“I have been a security evangelist for most of my time in New Zealand (37 plus years) and have yet to hear anyone jump up and sing out “Hallelujah, I believe!!!!”.

“So, in my humble opinion, my answer would have to be “NO”.

“The public and businesses, in general, pay lip service to the notion of security but really have little in the way of commitment. Of course, there are exceptions such as banks, the intelligence community, police, etc.

“But most people could care less or employ the minimum mitigating measures. Many businesses have little or no interest in serious security measures that would adequately protect their business. All it takes is a disaster to confirm this assertion.”

What measures can government and industry employ to protect their data and citizens’ data?

“The most effective measure would be, in the first instance, the deployment of strong encryption. The key is the word “strong” because all encryption is not created equal. In the second instance access to this protected information should be guarded in a compartmented way only allowing access where that access is necessary to perform some business task.

“Data should only ever be transported, through whatever means, in encrypted form without exception. So, these measures must be used with appropriate procedures that will provide the highest level of protection.”

Generally, who are these cyber attackers, and how has the nature of cyber attacks changed in the last decade?

“The bad guys have figured out that going to a bank with a gun nets them $7,500 and 5-10 years in jail (90% plus chance of getting caught and convicted). Going to the bank via a computer nets an average of $250,000 and has a reduced exposure to being caught.

“Computer crimes, in general, are punished at a much reduced level as compared to physical crime. Today, everyone wants your data and is willing to pay for it. Privacy is archaic and most young people don’t value it. Therefore, the bad guys want to compromise big data for ransom, resale.”

Looking out to 2020, what are the biggest emerging cybersecurity threats that you see?

“More and more exploits are being developed for cell phones because this is an information-rich environment without much in the way of protection. There are 7.3 billion active mobile accounts now and that number is growing. The providers and developers spend an inordinate amount of time making their products so convenient that they become indispensable.

“They seem to spend very little time trying to secure the environment. The cell phone is the most ubiquitous surveillance device ever conceived by man. There may come a time, if we allow it, where everyone MUST have a cell phone in order just to live. That would be sad.”

Is cyberwarfare an issue we need to think about in New Zealand? Should we be considering it as a tool in our defence arsenal?

“Yes. As a sovereign nation we must be in a position to defend against those who would attack us. That means knowing about attack strategies as well as defensive measures.”

What promising research are you seeing that points the way forward to more effective cybersecurity protection?

“Funding organisations do not recognise the importance of cybersecurity research. Without funding not much research happens – no matter what the subject. It would be difficult to find cybersecurity research projects that have external funding.

“The outlook is bleak unless the ethos changes to recognise that everything we touch today is controlled by computer in some way. How can we not invest in protecting that function?”

Q&A with Dr Ian Welch

Dr Ian Welch

Associate Professor, School of Engineering and Computer Science, Victoria University of Wellington

Just about everyone is now connected to the internet via a laptop or smartphone – what are the biggest threats we face as individual internet users? (eg. apps, unsecured wifi, use of e-commerce).

“Ransomware remains a major threat to individuals. Ransomware is software designed to look benign, that is delivered via email or messenger to victims who are tricked into installing. The software encrypts their files and instructs users to send a ransom in bitcoins.

“Ransomware is very profitable due to the targeted nature of the attack resulting in a high conversion rate of contacts to payback (the emails are more sophisticated than the Nigerian prince type scams) and the fact that it pushes the costs of collecting the money onto the victim.

“Ransomware takes advantage of two things: (1) technical — operating systems that provide too many privileges that can be exploited (compounded by home users often using the administrator user as their main profile); (2) social — people find it hard to evaluate what is and isn’t a genuine request in the absence of training, and also attackers exploit natural cooperative behaviours that have served us well in the past but don’t always work so well in the cyber world.”

Are New Zealand businesses doing enough to combat cybersecurity threats?

“My understanding from talking to friends involved in commercial cyber security is that management doesn’t really understand the real threats.

“I have the same feedback from teachers talking to parents. ConnectSmart and Netsafe do an excellent job but we need to keep these services relevant and constantly improving.”

What measures can government and industry employ to protect their data and citizens’ data?

“Keep your systems updated.

“Have offline backups that go back six months.

“Think about operational security (don’t double click on that attachment).”

Generally, who are these cyber attackers, and how has the nature of cyber attacks changed in the last decade?

“My understanding is that cyber attacks are generally commercial in nature (Anonymous aside). We left the hacker in their bedroom several years ago.

“We also see government-sponsored hacking. China attacking dissidents is a common example, but we know from Snowden that the Five Eyes – the intelligence alliance between Australia, Canada, New Zealand, the United Kingdom and the United States – may be involved in their own cyber intelligence gathering.”

Looking out to 2020, what are the biggest emerging cybersecurity threats that you see?

“The biggest threats are likely to be: the Internet of Things (IoT), threats to privacy, but also upon physical systems connected to the internet, such as infrastructure.

“False news and information, what if attackers choose to tweak our perception of reality by changing information, inciting social upheaval, rather than directly attack our services?”

Is cyberwarfare an issue we need to think about in New Zealand? Should we be considering it as a tool in our defence arsenal?

“I am very much against retaliation in cyber warfare because of the shared nature of the Internet. Our anti-DDoS might take ourselves down as well.

“I am in favour of incident response centres, gathering intelligence and removing vulnerabilities.”

What promising research are you seeing that points the way forward to more effective cybersecurity protection?

“Data mining and AI is still a big help in the fight against new threats, in particular transfer learning that allows AI systems to transfer previous learnings to new domains. Very important in a world where attackers change their methods day by day.

“Technologies such as software defined networking; building systems that dynamically reconfigure the network in the face of threats. Similar systems do exist (CISCO for example) but these are quite inflexible and require you to use the one vendor everywhere. We want open and transparent solutions.”

Show more