From: Katrina Casey, Acting Secretary for Education <bull...@education.govt.nz>Subject: Urgent message from Ministry of Education on Cyber Security
Message from Ministry of Education on Cyber Security
Background
We have been made aware of a number of cyber-attacks that have led to school servers being compromised. Where we become aware that a school’s server is potentially affected, we will contact you immediately. Cybercriminals will attack your servers for a number of reasons however our initial assessment is that it is more likely they are motivated to use them as staging posts for other attacks (eg sending spam) or for pure financial gain (eg ransomware), rather than to illegally obtain school data per se.
Recommended action
We recommend that you:Firstly check ALL school servers for any signs of compromise, specifically remote access logs, processes consuming high amounts of processor time (potential Bitcoin mining) and unusual outbound communication including software / applications contacting overseas IP addresses. Your IT provider or school IT staff will be best placed to assist with this.
We also recommend the following to improve your resilience to cyber-attacks.
What to do if a compromise is identified
- Enforce a complex password policy and ensure that default passwords for system accounts are changed.
- Implement two-factor authentication for remote access, such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN). For more details on VPN go to NetSafe
- Apply regular updates to applications and operating systems to ensure up to date protection against known vulnerabilities.
- Restrict accounts with administrative privileges to make it more difficult for an attacker to install malware and gain access to the wider network.
- Ensure backups are run regularly with separate backups of both data and server images. Check backups on a regular basis to ensure the backups are successful and can be used to restore data.
- Ensure a secure configuration of servers by blocking or disabling all externally facing services and ports by default, and only enabling those actually required. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
- Ensure antivirus software is installed and updated regularly and in all cases no later than 7 days from release of an update from the anti-virus provider.
- Enable comprehensive logging and ensure that at least three months logs are retained and backed up. Logging is critical in a forensic context to establish the cause, extent and duration of any future incident.
If you identify any signs of compromise, we recommend the following:
- Immediately isolate the compromised server(s) from the internet.
- Force a password change for all user accounts, including network accounts.
- Rebuild the server. Rebuilding the server is crucial to ensure removal of all malware and methods of access created by the attackers. If your school seeks to enlist the services of a security provider to conduct a forensic investigation of the incident, they will require access to the server to conduct analysis prior to the server being rebuilt.
If ransomware is identified
If you identify ransomware has been installed:
- Advise the New Zealand Police.
- Advise Netsafe, using ‘The Orb’
- It is strongly recommend that you DO NOT pay the ransom under any circumstances.
- Undertake the steps outlined above.
Forensic analysis
The priority is remediation of any compromised servers. For schools that require information on the method in which they were compromised, please contact us via our details below.Schools IT Helpdesk 0800 CALLICT (0800 225 542) or 09 356 3167, email:cal...@tki.org.nz
NetSafe has additional information on steps to protect your school from cybercriminals.
Information Sharing
If you identify any server that has been compromised, we request that you advise the Ministry’s Security and Privacy team via email security...@education.govt.nz. The information that you provide to us will be used to help with advice and guidance for any other affected schools. This information will be shared with appropriate organisations for coordination of response.
Contact us at: bull...@education.govt.nz | education.govt.nz | Follow us on Twitter
You can update your preferences or unsubscribe from this list
You are receiving this email because you are a key school leader and subscribe to the Ministry Bulletin for School Leaders | He Pitopito Kōrero.
There is an article about this in the press this morning, it seems to hint that it is only schools connected to the N4L network.
There is an article about this in the press this morning, it seems to hint that it is only schools connected to the N4L network.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
i wonder if it is related to the teamviewer exploits my security appliance was stopping? lots of BYOD devices were calling russia
--
What appliance do you use if you don't mind me asking?
They suggested a major issue for BYOD is that it was all running in one network with full access to everything else on that network. BYOD devices getting hacked sounds different from BYOD devices hacking into a school server, if the BYOD is a separate network from the servers then it has less to do with hacking the school's servers and more to do with bandwidth use or other nuisances.
Had some cryptoware sneek in which owned the office drive and half of the student drive before it was picked up, wasted right by the AV at the time.
As we had shadow copy and limited user accounts by with separate non-login admin accounts for those that needed them rollback was simple but if the user had been running as admin it could have killed the shadow copies and forced us to use backups instead.
I also saw the possible N4L link in the media article and wondered if it was a case of schools trusting them a bit too much and not taking their own steps on top of N4L despite n4ls contention that we should all just trust their edge device to keep traffic safe.
Sent from my Windows 10 phone
> On 15/07/2016, at 8:00 am, Blake Richardson <bla...@stmargarets.school.nz> wrote:
>
>> There is an article about this in the press this morning, it seems to hint that it is only schools connected to the N4L network.
--
Flow In, MA hons Cantab, MSc | ICT Technician | WESTLAND HIGH SCHOOL
Phone: 03 755 6054 | Cell: 022 027 5107 | Fax: 03 755 6269 | i...@westlandhigh.school.nz
PO Box 154, 140 Hampden Street, Hokitika 7842
http://www.westlandhigh.school.nz/
WHAKATERE I Ā TĀTOU HAERENGA - NAVIGATING OUR JOURNEYS
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
--
You received this message because you are subscribed to a topic in the Google Groups "Techies for schools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/techies-for-schools/5H0dCCyOmFI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to techies-for-sch...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
The tech you are after for the sepm thing is directaccess which gives the laptops a persistent background transparent tunnel back to the school if they have a net connection.
The tech you are after for the sepm thing is directaccess which gives the laptops a persistent background transparent tunnel back to the school if they have a net connection.
Sent from my Windows 10 phone
<snip>
http://www.fail2ban.org/wiki/index.php/Main_Page