ASD-Cyber-Security-Bulletin-2014-06

ASD CYBER SECURITY BULLETIN
Prevention is better than a Cure
While I was enjoying my leave on a Queensland beach,
it seemed that every time I picked up a newspaper or
caught up on happenings online, there was coverage
of a major compromise of personally identifiable
information due to malicious cyber activity.
These types of security breaches can not only
result in loss of revenue, but a loss of trust among
consumers, partners and suppliers, as well as damage
to an organisation’s reputation for years to come.
The financial costs of a serious compromise can far
outweigh any cyber security budget. With the move
to bring more government services online, the need
to secure personally identifiable information has never
been more important.
As organisations grapple with combating the expanding
sophistication of malicious cyber activities, delivering
resilience and adaptability is a challenge for many.
Reflecting back on 2013, ASD’s Top 4 mitigation
strategies have continued to prove their effectiveness as
the best option for your agency in mitigating targeted
cyber intrusions, based on the incidents that the Cyber
Security Operations Centre responds to.
Issue #13 – June 2014
achieved gradually, firstly on workstations of users
who are most likely to be targeted by cyber intrusions,
and then implementing them on all workstations
and servers. Once this is achieved, organisations can
selectively implement additional mitigation strategies
to address security gaps until an acceptable level of
residual risk is reached.
Of course, not all networks are the same - but to help
in ensuring that networks have strong, consistent and
effective defences, ASD publishes a range of technical
advisories for different audiences. The recent release
of the ASD Protect The Top 4 in a Linux Environment
is an excellent example of how ASD recognises the
practicalities of implementing the mitigation strategies
across different operating environments, and offers
effective advice without compromising on security or
offering a ‘lite’ solution.
2014 will be a big year for cyber security in Australia
with the Australian Cyber Security Centre set to become
operational by the end of the year. My staff and I look
forward to partnering with you as we work together to
defeat the cyber threat.
I have recently been asked whether there is a softened,
‘lite’ version of the Top 4. The simple answer to this is
that there is no ‘Diet Top 4’. Based on ASD’s technical
and operational experience in cyber security, the Top 4
remain the most effective ‘bang for buck’ defence when
implemented as a package. This has been supported
by research from Microsoft and the United States’ SANS
Institute, which has published a revised version of the 20
Critical Controls following the release of ASD’s updated
2014 Strategies to Mitigate Targeted Cyber Intrusions.
Like all aspects of security, there is a cost - but agencies
need to weigh up the risks and address their own
security culture. The Top 4 should form an integral
part of every agency’s cyber security foundation.
Implementing the Top 4 mitigation strategies can be
Joe Franzi is the Assistant Secretary for Cyber
Security at the Australian Signals Directorate.
Inside this issue
Prevention is better than a Cure........................1
Days of Systems Past.........................................2
Harder, Better, Stronger.....................................3
Watch that Webmail...........................................4
The Top 4 for Penguins.......................................5
Issue #13 – June 2014 Page 1

Days
of
Systems
Past
You know that when a product
vendor wants you to stop using
a version of their product, it’s time
to get out. On Tuesday 8 April 2014, support
ended for Windows XP SP3 and Office 2003.
ASD ranks application patching and operating system
patching as the second and third most effective
strategies to mitigate targeted cyber intrusions, as
listed in ASD’s Strategies to Mitigate Targeted Cyber
Intrusions. These two patching strategies recommend
using the latest versions of software, such as
Microsoft Office, and operating systems, including
timely patching for vulnerabilities.
When a developer ceases to provide support for
a product, updates and patches to address critical
vulnerabilities are no longer made available. When
new vulnerabilities are discovered, they can be
easily exploited due to the lack of software support.
After
8 April 2014,
Microsoft will not be providing
updates, security patches or technical support for
Windows XP, Office 2003, Windows Server 2003,
Exchange 2003 and Sharepoint 2003.
It is recommended that any organisation still using
any of these products should upgrade to supported
software as soon as practically possible.
Some Australian Government agencies will have
been unable to fully migrate away from Windows
XP prior to its ‘end of support’ date. ASD has
published guidance to OnSecure on mitigations and
minimising the risk for XP.
So while XP has served a lot of organisations well,
it’s time is now over and agencies need to upgrade
sooner rather than later.
Further Guidance
ASD message and advice on minimising risk for end of support for XP:
www.onsecure.gov.au
Advice from Microsoft on the end of support for XP:
www.microsoft.com/en-au/windows/enterprise/endofsupport.aspx
Issue #13 – June 2014 Page 2

Harder, Better, Stronger
Passwords. We all have them. Lots of them.
Passphrases are common authentication techniques
which enable an agency to verify the stated
identity of a user. However, given the everincreasing
processing power of home computers,
the length and complexity requirements for
passphrases will also continue to increase. This
is necessary to provide agencies with adequate
protection against basic techniques such as brute
force attacks.
A brute force attack involves the attacker
systematically checking every possible passphrase
until the correct one is found. A simple six-letter
password can be brute forced in minutes by
software freely available on the internet.
The requirements for passphrase length and
complexity have been increased in the current
version of the Australian Government Information
Security Manual (ISM), released in March 2014.
What can be done?
Continually increasing the length and complexity
requirements for your system users can be
cumbersome. Users tend to have difficulty
remembering long, complex passphrases
without writing them down.
Agencies can consider implementing additional
authentication measures, such as multi-factor
authentication. This decreases the reliance on long,
complex passphrases. Multi-factor authentication
means choosing two or more of the following
authentication methods:
• y something one knows, such as a passphrase or
response to a challenge or question
• y something one has, such as a passport, physical
token or identity card
• y something one is, such as biometric data, like a
fingerprint or face geometry.
The theft of user credentials can make breaking
into the most well defended networks a walk in
the park. Strengthening agency passphrase policy is
critical to ensuring your agency is a hard target for
malicious intruders.
The ISM is available from the ASD website.
Issue #13 – June 2014 Page 3

Watch that Webmail
Web-based email, or webmail, is a convenient
way to communicate from anywhere, at any time.
Webmail is email that is accessed through a web
browser – such as Windows Live Mail, Gmail, Yahoo
or email provided by Internet Service Providers.
However, government agencies using webmail for
business purposes should be aware of the security
risks of this approach.
Government agencies have their own security
measures for handling email and other sensitive
communications. Employees using a webmail
account for sensitive business information
will not have these same protections for their
communications. This increases the risk of
unauthorised disclosure – and in some cases, this
may even breach legislative requirements.
It is also important to note that agencies may
not have full control over your data when using a
webmail service. Service providers are subject to
the laws and regulations of the country where they
are based. This may involve a number of countries,
depending on where the data is stored and
processed and where it transits.
Foreign governments may have the right to lawfully
access the data held by the webmail service without
user knowledge. It may also be difficult to sanitise
or clean up data spills in the case of a data leak.
ASD has seen malicious emails that have been
sent to government agencies also forwarded onto
users’ personal webmail accounts, which can lead
to the compromise of the device used to access
the webmail – such as a personal mobile phone
or tablet. In some cases, the device may already
be compromised (for example, if you are using a
public terminal or a device running outdated and
vulnerable software.)
If you and your colleagues become accustomed
to seeing webmail used for business, there is the
danger that it will be more difficult to detect the
commonly used intrusion technique of ‘spoofing’.
This is where a webmail account is set up to appear
as if it is a legitimate user, to trick the receiver
into opening the email and clicking on a malicious
link or attachment.
If your agency does allow webmail use, it is recommended that you:
• use your agency’s email service rather than webmail when accessing email from your
work network
• maintain separate accounts for work and personal purposes
• send only publicly available, unclassified government information over webmail –
never send sensitive or classified information
• ensure that your webmail software is up to date with
anti-virus installed
• use a strong and unique password or multi-factor
authentication to enhance the security of your account.
More information is available at the ASD website in the Protect
publication Implications of Using Webmail for Government Business.
Issue #13 – June 2014 Page 4

The Top 4
The Top 4
for Penguins
for Penguins
In today’s
environment, most
organisation workstations use
Microsoft Windows or Linux operating
systems (or a combination of both).
Implementation of the Top 4 in a Linux
environment presents different challenges
to a Windows operating system, particularly
application whitelisting. ASD has released
a new document to assist organisations
in implementing the Top 4 on Linux. This
advice complements ASD’s previously
published guidance document
Implementing the Top 4 in a
Windows Environment.
continued on page 6
Issue #13 – June 2014 Page 5

The Top 4
for Penguins
Application whitelisting on Linux can be very difficult to implement
due to the high amount of resources required for development
and maintenance. While administrators can use the AppLocker
or Software Restriction Policies on Windows-based workstations,
equivalent mechanisms are not present in either the core Linux
kernel or other popular Linux distributions.
However, this does not mean that it can’t be done. ASD is focussed
on technical solutions that are achievable, effective and practical
in the government environment. As a result, ASD’s The Top 4 in a
Linux Environment provides not only guidance on how to implement
application whitelisting on Linux, but also technical advice on how to
harden a Linux machine without it, while still ensuring a comparable
level of security to a Top 4-hardened Windows machine. These
include commercial solutions, SELinux or AppArmour policies, and the
use of custom Linux security modules. The document also provides
technical guidance on patching applications, patching the operating
system and restricting the number of users with administrative
privileges on Linux.
The Top 4 in a Linux Environment is available on ASD’s website
asd.gov.au with a suite of publications designed to assist in
implementation of the Top 4 strategies.
The Top 4 Strategies to Mitigate Targeted Cyber Intrusions has
been shown to prevent at least 85% of cyber intrusion techniques
when implemented as a package. These strategies are based on
those intrusion techniques which target the workstation. The Top 4
strategies are:
1. Application whitelisting
2. Patching applications
3. Patching operating systems
4. Restricting administrator privileges
ASD Contact Details
For non-urgent and general ICT security enquiries:
Email: asd.assist@defence.gov.au
For urgent and operational government ICT security matters:
Phone: 1300 CYBER1 (1300 292 371, select 1 at any time, or
Complete the cyber security incident report form at www.asd.gov.au
Issue #13 – June 2014 Page 6