The Reserve Bank's use of a file sharing system hacked over the summer, was not limited to secure file transfers as intended thus placing more information at risk to attack than would have otherwise been the case, a KPMG report on the incident says.
The Reserve Bank has released a "public summary" of a KPMG "independent" review of its systems and processes commissioned earlier this year.
In February the Reserve Bank said personal information such as dates of birth, credit details and personal email addresses was stolen during the data breach in December, which lead to significant delays in the Reserve Bank's regular data releases.
Unauthorised access was obtained to a third-party developed file transfer system, Accellion File Transfer Application, used by the Reserve Bank in late 2020. KPMG says access was obtained by exploiting a previously unknown vulnerability in the application.
According to a public report commissioned by Accellion from cybersecurity forensics company FireEye, the vulnerability was first exploited by a cybercriminal group on 16 December 2020. Subsequently several additional attacks occurred at companies and government organisations worldwide. The attack targeted known users of the application, which was used by the Reserve Bank to share and store sensitive information. KPMG says some of that information is likely to have been obtained by an "external threat actor."
"Usage of the System by the [Reserve] Bank was not limited to secure file transfers as intended. Working practices evolved over time to the point where the System was also used as an information repository and collaboration tool, which was not in adherence with the Bank’s 2014 guidelines on acceptable use of the System. Adherence would have significantly reduced the volume of information at risk," KPMG says.
KPMG's focus is largely on the containment phase of the Reserve Bank's response to the attack up until January 9. The firm says detailed analysis of what data was breached, and the subsequent actions undertaken, happened after the period covered by its report, and was subject to work performed by other independent parties hired by the Reserve Bank.
The Reserve Bank’s response to the attack continued for some months beyond January 9, alongside domestic and international cyber security experts and other relevant authorities.
"The data breach was contained by the [Reserve] Bank and the required software update applied within 24 hours of being notified by the vendor on 6 January 2021," KPMG says.
The firm says while the direct cause of the incident, the zero-day vulnerability, couldn't have been predicted, several key contributing factors directly impacted the scale and impact of the data breach.
These included the fact that although software updates to address the issue were released by Accellion in December soon after it discovered the vulnerability, the email tool used by Accellion failed to send the email notifications, KPMG says. Consequently the Reserve Bank wasn't notified until January 6. The Reserve Bank deployed the software updates on January 7, and started investigating whether a breach had occurred.
"We have not sighted evidence that the vendor informed the [Reserve] Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time. Having said this, the nature of the information provided in relation to the software update did indicate that the updates contained 'critical, time-sensitive security fixes' which drove the immediacy of the Bank’s response," KPMG says.
It also says there were initial alerts of potential malicious activity on the System in December that would have helped provide early detection had they been identified and/or followed up by the Reserve Bank’s support staff.
"These alerts were default alerts enabled within the System since 2015. There were also some key controls and working practices that were within the Bank’s control that were not implemented, and/or existing controls that were ineffective which also directly impacted the scale and impact of the data breach," KPMG says.
These include that the System hadn't undergone a certification and accreditation (C&A) process to understand and ensure that any key risks were identified and managed.
"The C&A process typically includes a systems risk assessment and controls audit and would also document the classification of the information that is stored on the system along with the high-level security requirements and information protection priorities. This could have highlighted the risks with the Bank’s usage of the System."
RBNZ implementing KPMG's recommendations
Governor Adrian Orr says the Reserve Bank accepts KPMG's findings and is implementing its recommendations.
“As signalled in our Statements of Intent, we are well advanced on multiyear investment initiatives related to our digital systems and data management. We have prioritised these initiatives consistent with the recommendations outlined in the reports,” Orr says.
“While we were the victim of a widespread illegal attack on the file sharing system, the Reserve Bank takes full responsibility for our shortfalls identified in the KPMG report,” says Orr.
“We were over reliant on Accellion – the supplier of the file transfer application – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning."
“I am disappointed about the incident and the impact it has had on people, including our own team. I am confident, however, that we have responded with urgency, precision, and care," Orr says.
“I also again extend my apologies to all individuals and institutions that were affected by this illegal breach. I especially thank the Office of the Privacy Commissioner who have worked closely with us throughout the incident.”
The Reserve Bank won't name the individuals or institutions who were affected. And nor will it say what data was breached.
"The Reserve Bank recognises the public interest in the incident and our response, but for security reasons we are unable to provide specific details on some parts of the data breach and our response. This includes details of those affected by the breach," a Reserve Bank spokesman told interest.co.nz.
"We worked with a range of public authorities and experts in responding to the breach, but we will not be releasing technical analysis of the data breached or guidance received as part of our response."
KPMG's recommendations are detailed below.
Key recommendations 1.0
Consider conducting more frequent incident simulations to ensure key Bank staff and their delegates are familiar with all of the requirements of the Major Incident Response Plan, and adhere to the key requirements (or document the rationale for any deviations) such as maintaining a complete and accurate incident timeline. Update the detailed incident log accordingly.
Key recommendations 2.0
Review ongoing security training requirements for staff supporting critical systems based on the nature and type information stored and processed and the key users of the system or information.
Review monitoring and alerting protocols for all key security and operational alerts to ensure there is appropriate escalation and a peer review/QA process to help ensure key incident information is not missed and the incident actions register is updated.
Improve the continuous monitoring of the control environment for vulnerabilities, potential threats, and attacks by formalising a program of audits, risk assessments and user awareness of policies and procedures.
Create a Digital Services On-Call & Overtime policy that aligns with the Bank’s current requirements and clarifies staff roles and responsibilities.
Key recommendations 3.0
Formalise the security strategy and roadmap and PSR/NZISM compliance architecture that is aligned with the Bank’s risks and is endorsed by the SLT and the Board.
Formalise the risk management process for C&A requirements and end of life platform exemptions and risk acceptance.
Develop, enforce and monitor acceptable use guidelines and minimum security standards for all critical applications.
Integrate the cyber and enterprise risk management frameworks to ensure consistent risk treatment and/or reduce gaps in risk identification.
Develop baseline standards for vendor communication protocols including requirements for maintaining/updating contact lists and agreed escalation protocols. These should form part of all vendor agreements.
Develop a policy/guidance for users to cover situations where an external party may mandate its own file sharing tools/protocols that may conflict with Bank policies.
Key recommendations 4.0
Develop a formal enterprise framework for data/information management that includes a formally approved enterprise wide classification standard.
Establish clear policies and guidelines for the security of data in unstructured storage.
Create a formal framework for vendor and asset management
Define Platform and Information owner roles and responsibilities for support/on call and training/certification requirements.
Develop a framework for third party risk Management that assesses the risk associated with all critical providers and defines controls that have been implemented.
19 Comments
Encryption solves very little if you are inside the defined boundary of the system where it applies. e.g. files are encrypted on disk => any user logged into the system will still have access to the unencrypted files (login implies the keys to decrypting any file).
Implementing useful and effective 'per file encryption' is very difficult and probably not even advisable. Most systems only settle for transport encryption. Often implementations of at-rest encryption only solve the problem of someone stealing the physical server -- and very little else.
"Implementing useful and effective 'per file encryption' is very difficult and probably not even advisable.
This is pure nonsense, you know that right ?
Just because you login it does not mean the files can not be encrypted at rest.
Many of us are using encryption every day at work and in our private life.
If you use a 20+ years old legacy system, as the information available https://en.wikipedia.org/wiki/Accellion suggests you are asking for trouble.
You need the right people in the right places to keep these systems secure, maintained, updated.
I expect that you have very little understanding of what your actual security posture is and real data exposure is. What you're saying is all true, but it's not really relevant to what I said. I'm saying that just because there is encryption does not mean it's useful at all in preventing data exfiltration.
Feel free to explain how to implement effective key management in a per-object encryption scenario that doesn't kill 99% of usability.
Firstclass is correct here Eudaemonic. Asymmetric Encryption is standard practice for most online applications that need securing these days. And it happens at the object level, and should be also implemented in the db. JSON Web Tokens are a perfect example of this. AWS S3 is an example of data at rest that can be stored encrypted and encoded/decoded with a public/private key pairing.
The RBNZ (and many government departments) are completely negligent when it comes to a lot of this stuff, relying on VPNs and Firewalls like it's still 1999. Then when it comes to Vendors for delivering cloud solutions, they go with "Enterprise Solutions" that are typically awful. Some manager somewhere without an ounce of technical expertise makes the final decision. If it wasn't so serious it would be hilarious.
"First class problem" said the multiple home owner.
https://www.google.com/amp/s/www.newshub.co.nz/home/politics/2020/11/re…
Just got email and Mr Orr said that housing is cooling, so how come house price touching new height - So was Mr Orr Lying..... :
The weather may be cooling down, but plenty of heat still remains in the property market, with average house prices hitting yet another record of $815,700, a 16% increase on last year.
It’s a challenging time to be a first home buyer so we’re sharing our tips on how to compete with investors and developers and secure your first property.
Of interest is "In February the Reserve Bank said personal information such as dates of birth, credit details and personal email addresses was stolen during the data breach in December," ... What on earth is RBNZ holding personal details. They are not a retail/high St bank. Are this individuals millions in hock to the retail banks necessitating informing RBNZ?
No doubt RBNZ are going to terminate the contract with Accellion either forthwith or when it expires. Some organisations and individuals reward very poor performance with continued business.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.