Q&A - Delving deep into the NZ security landscape
- 21 October, 2015 05:58
Andy Prow - Founder and CEO, Aura Information Security
Aura Information Security founder and CEO Andy Prow examines the security scene in New Zealand, offering expert advice for businesses across the country.
How prevalent is hacking in New Zealand? Is there any way to quantify it?
It is really, really hard to quantify, but unfortunately it’s far more prevalent than is reported.
In New Zealand you must notify the powers that be if you’ve had credit card data stolen due to PCI laws, and you should notify the Office of the Privacy Commissioner for privacy breaches, but we have no mandatory breach notification laws in New Zealand.
So in fact, lots of people would prefer not to - for obvious reasons particularly due to embarrassment involved and the commercial impacts of telling your customers their data has been breached.
Who are the main culprits? Is it politicians, bloggers, journalists?
From first hand experience it’s right across the spectrum.
There’s evidence of overseas hackers targeting New Zealand systems - and we’ve seen large sums of money (fraud attacks which often involve hundreds of thousands of dollars) and, of course, valuable data hacked.
Political information often gets hacked, and there are also instances where attacks are carried out or instigated by malicious ex-employees.
How often are these hacks commissioned by someone else?
It’s almost impossible to quantify, although the ones we do see are invariably undertaken by the perpetrator.
What we often see is that lots of the overseas hackers then sell the value of what they’ve accessed on to other third parties. Political activists tend to publish the information, as well.
How does New Zealand compare to other countries in terms of hacking? Are there a lot more or less or similar breaches?
There are still a lot less, and the main reason for that is the cumulative value of our data is still quite low.
Having said that, in the last 12 months we’ve heard of lots of organisations who’ve been breached, most only asking for help after the event, and the attack traffic hitting our RedShield offering has increased exponentially.
If you’re a global hacker, New Zealand generally isn’t on your radar. But suffice to say we’re a weak target because, by and large, we tend to have weaker systems.
But remember hacks outside of New Zealand still effect Kiwis - there are reportedly over 127,000 Kiwis very worried after the Ashley Madison breach.
Are you able to give any more details of people asking you to hack a system and give a report in order to dig up dirt?
We have been asked to do that in the past, both in New Zealand and overseas, but obviously can’t provide the details. Never, have we carried out this sort of work, and nor will we.
How good are law enforcement/security agencies at stopping this type of activity?
In New Zealand we are massively under-resourced, and it’s really hard for law enforcement organisations to engage with overseas agencies for what are often small attacks and issues when compared to the size of global breaches.
Every single customer we’ve had who has reported things to the police , if the attacker is from overseas, that pretty much ends the investigation because it all gets a bit too hard.
What more needs to be done to make sure systems are safe from hacking?
On one level the systems need to be much more resilient, to ensure they’re less susceptible to hacking, and this isn’t just a one-off activity but something that needs to be maintained and kept on top of. We can control that in New Zealand.
From a legal perspective this will be an ongoing issue until the Internet becomes one legal jurisdiction. At the moment the system is set up globally so the hackers can easily hide.
What are we looking at if New Zealand doesn't up its IT security systems/change the law?
With regards to upping security systems - it’s a problem that’s getting bigger and bigger, and there will be an increasing number of instances which involve breaches of people’s valuable data.
Remember the cumulative data being held about us online these days is pretty much every aspect of our personal and professional lives, and most of what we do and use on a daily basis.
The legal question links back to my earlier point. How can you change New Zealand law to stop Chinese or Croation hackers, for example, or protect a Kiwi’s data being held overseas?
What could you do in our country without the help of overseas jurisdictions? It’s a tough one.