A Note on Cyber-Security for New Zealand Schools

Today, the Ministry of Education issued a bulletin on Cyber Security in New Zealand Schools. We know that this email may have caused some concerns, so have put together some information about these threats and what New Era is doing in response.

New Era has a close relationship with the Network for Learning and the Ministry of Education. Since the first cyber-attacks were discovered, New Era has been working closely with the Network for Learning to clearly define current threats, and to take all possible steps towards minimising risk for our clients. 
Today's bulletin reinforces best practice security for schools - a model that New Era recommends and instigates as standard practice across all managed service clients. To further ensure best-practice has been adhered to, New Era is in the process of conducting additional security audits across our client networks.

In most cases, there is no immediate action required by your school. Our team will be in contact if any changes or recommendations are required. However, it would be pertinent to take this opportunity to have a discussion with your school community and remind your staff and students to be mindful of security when using ICT. 

Three quick security tips you can share with your staff and students
  1. Never open an email or attachment if you are unsure of its origin or intent
  2. All passwords should be complex; containing a mix of letter in uppercase and lowercase, numerals and also special characters
  3. Passwords should never be shared or stored in a location that can be compromised

We have attached a copy of the original bulletin from the Ministry of Education below for your reference. If you have any questions or concerns, please do not hesitate to get in touch with your New Era client manager.

We wish your school a safe and enjoyable term break. 
Kind Regards,

Greg Strachan

Chief Executive Officer
New Era 

Message from Ministry of Education on Cyber Security


Background

We have been made aware of a number of cyber-attacks that have led to school servers being compromised. Where we become aware that a school’s server is potentially affected, we will contact you immediately. Cybercriminals will attack your servers for a number of reasons however our initial assessment is that it is more likely they are motivated to use them as staging posts for other attacks (eg sending spam) or for pure financial gain (eg ransomware), rather than to illegally obtain school data per se.

Recommended action

We recommend that you:
Firstly check ALL school servers for any signs of compromise, specifically remote access logs, processes consuming high amounts of processor time (potential Bitcoin mining) and unusual outbound communication including software / applications contacting overseas IP addresses. Your IT provider or school IT staff will be best placed to assist with this.

We also recommend the following to improve your resilience to cyber-attacks.
  • Enforce a complex password policy and ensure that default passwords for system accounts are changed.
  • Implement two-factor authentication for remote access, such as Remote Desktop Protocol (RDP) and Virtual Private Network (VPN). For more details on VPN go to NetSafe
  • Apply regular updates to applications and operating systems to ensure up to date protection against known vulnerabilities.
  • Restrict accounts with administrative privileges to make it more difficult for an attacker to install malware and gain access to the wider network.
  • Ensure backups are run regularly with separate backups of both data and server images. Check backups on a regular basis to ensure the backups are successful and can be used to restore data.
  • Ensure a secure configuration of servers by blocking or disabling all externally facing services and ports by default, and only enabling those actually required. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
  • Ensure antivirus software is installed and updated regularly and in all cases no later than 7 days from release of an update from the anti-virus provider.
  • Enable comprehensive logging and ensure that at least three months logs are retained and backed up. Logging is critical in a forensic context to establish the cause, extent and duration of any future incident.

What to do if a compromise is identified

If you identify any signs of compromise, we recommend the following:
  • Immediately isolate the compromised server(s) from the internet.
  • Force a password change for all user accounts, including network accounts.
  • Rebuild the server. Rebuilding the server is crucial to ensure removal of all malware and methods of access created by the attackers. If your school seeks to enlist the services of a security provider to conduct a forensic investigation of the incident, they will require access to the server to conduct analysis prior to the server being rebuilt.

If ransomware is identified

If you identify ransomware has been installed:
  • Advise the New Zealand Police.
  • Advise Netsafe, using ‘The Orb’
  • It is strongly recommend that you DO NOT pay the ransom under any circumstances.
  • Undertake the steps outlined above.

Forensic analysis

The priority is remediation of any compromised servers. For schools that require information on the method in which they were compromised, please contact us via our details below.

Schools IT Helpdesk 0800 CALLICT (0800 225 542) or 09 356 3167, email:callict@tki.org.nz

NetSafe has additional information on steps to protect your school from cybercriminals.

Information Sharing

If you identify any server that has been compromised, we request that you advise the Ministry’s Security and Privacy team via email security.privacy@education.govt.nz. The information that you provide to us will be used to help with advice and guidance for any other affected schools. This information will be shared with appropriate organisations for coordination of response.