ASD-Cyber-Security-Bulletin-2014-06
ASD-Cyber-Security-Bulletin-2014-06
ASD-Cyber-Security-Bulletin-2014-06
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>ASD</strong> CYBER SECURITY BULLETIN<br />
Prevention is better than a Cure<br />
While I was enjoying my leave on a Queensland beach,<br />
it seemed that every time I picked up a newspaper or<br />
caught up on happenings online, there was coverage<br />
of a major compromise of personally identifiable<br />
information due to malicious cyber activity.<br />
These types of security breaches can not only<br />
result in loss of revenue, but a loss of trust among<br />
consumers, partners and suppliers, as well as damage<br />
to an organisation’s reputation for years to come.<br />
The financial costs of a serious compromise can far<br />
outweigh any cyber security budget. With the move<br />
to bring more government services online, the need<br />
to secure personally identifiable information has never<br />
been more important.<br />
As organisations grapple with combating the expanding<br />
sophistication of malicious cyber activities, delivering<br />
resilience and adaptability is a challenge for many.<br />
Reflecting back on 2013, <strong>ASD</strong>’s Top 4 mitigation<br />
strategies have continued to prove their effectiveness as<br />
the best option for your agency in mitigating targeted<br />
cyber intrusions, based on the incidents that the <strong>Cyber</strong><br />
<strong>Security</strong> Operations Centre responds to.<br />
Issue #13 – June <strong>2014</strong><br />
achieved gradually, firstly on workstations of users<br />
who are most likely to be targeted by cyber intrusions,<br />
and then implementing them on all workstations<br />
and servers. Once this is achieved, organisations can<br />
selectively implement additional mitigation strategies<br />
to address security gaps until an acceptable level of<br />
residual risk is reached.<br />
Of course, not all networks are the same - but to help<br />
in ensuring that networks have strong, consistent and<br />
effective defences, <strong>ASD</strong> publishes a range of technical<br />
advisories for different audiences. The recent release<br />
of the <strong>ASD</strong> Protect The Top 4 in a Linux Environment<br />
is an excellent example of how <strong>ASD</strong> recognises the<br />
practicalities of implementing the mitigation strategies<br />
across different operating environments, and offers<br />
effective advice without compromising on security or<br />
offering a ‘lite’ solution.<br />
<strong>2014</strong> will be a big year for cyber security in Australia<br />
with the Australian <strong>Cyber</strong> <strong>Security</strong> Centre set to become<br />
operational by the end of the year. My staff and I look<br />
forward to partnering with you as we work together to<br />
defeat the cyber threat.<br />
I have recently been asked whether there is a softened,<br />
‘lite’ version of the Top 4. The simple answer to this is<br />
that there is no ‘Diet Top 4’. Based on <strong>ASD</strong>’s technical<br />
and operational experience in cyber security, the Top 4<br />
remain the most effective ‘bang for buck’ defence when<br />
implemented as a package. This has been supported<br />
by research from Microsoft and the United States’ SANS<br />
Institute, which has published a revised version of the 20<br />
Critical Controls following the release of <strong>ASD</strong>’s updated<br />
<strong>2014</strong> Strategies to Mitigate Targeted <strong>Cyber</strong> Intrusions.<br />
Like all aspects of security, there is a cost - but agencies<br />
need to weigh up the risks and address their own<br />
security culture. The Top 4 should form an integral<br />
part of every agency’s cyber security foundation.<br />
Implementing the Top 4 mitigation strategies can be<br />
Joe Franzi is the Assistant Secretary for <strong>Cyber</strong><br />
<strong>Security</strong> at the Australian Signals Directorate.<br />
Inside this issue<br />
Prevention is better than a Cure........................1<br />
Days of Systems Past.........................................2<br />
Harder, Better, Stronger.....................................3<br />
Watch that Webmail...........................................4<br />
The Top 4 for Penguins.......................................5<br />
Issue #13 – June <strong>2014</strong> Page 1
Days<br />
of<br />
Systems<br />
Past<br />
You know that when a product<br />
vendor wants you to stop using<br />
a version of their product, it’s time<br />
to get out. On Tuesday 8 April <strong>2014</strong>, support<br />
ended for Windows XP SP3 and Office 2003.<br />
<strong>ASD</strong> ranks application patching and operating system<br />
patching as the second and third most effective<br />
strategies to mitigate targeted cyber intrusions, as<br />
listed in <strong>ASD</strong>’s Strategies to Mitigate Targeted <strong>Cyber</strong><br />
Intrusions. These two patching strategies recommend<br />
using the latest versions of software, such as<br />
Microsoft Office, and operating systems, including<br />
timely patching for vulnerabilities.<br />
When a developer ceases to provide support for<br />
a product, updates and patches to address critical<br />
vulnerabilities are no longer made available. When<br />
new vulnerabilities are discovered, they can be<br />
easily exploited due to the lack of software support.<br />
After<br />
8 April <strong>2014</strong>,<br />
Microsoft will not be providing<br />
updates, security patches or technical support for<br />
Windows XP, Office 2003, Windows Server 2003,<br />
Exchange 2003 and Sharepoint 2003.<br />
It is recommended that any organisation still using<br />
any of these products should upgrade to supported<br />
software as soon as practically possible.<br />
Some Australian Government agencies will have<br />
been unable to fully migrate away from Windows<br />
XP prior to its ‘end of support’ date. <strong>ASD</strong> has<br />
published guidance to OnSecure on mitigations and<br />
minimising the risk for XP.<br />
So while XP has served a lot of organisations well,<br />
it’s time is now over and agencies need to upgrade<br />
sooner rather than later.<br />
Further Guidance<br />
<strong>ASD</strong> message and advice on minimising risk for end of support for XP:<br />
www.onsecure.gov.au<br />
Advice from Microsoft on the end of support for XP:<br />
www.microsoft.com/en-au/windows/enterprise/endofsupport.aspx<br />
Issue #13 – June <strong>2014</strong> Page 2
Harder, Better, Stronger<br />
Passwords. We all have them. Lots of them.<br />
Passphrases are common authentication techniques<br />
which enable an agency to verify the stated<br />
identity of a user. However, given the everincreasing<br />
processing power of home computers,<br />
the length and complexity requirements for<br />
passphrases will also continue to increase. This<br />
is necessary to provide agencies with adequate<br />
protection against basic techniques such as brute<br />
force attacks.<br />
A brute force attack involves the attacker<br />
systematically checking every possible passphrase<br />
until the correct one is found. A simple six-letter<br />
password can be brute forced in minutes by<br />
software freely available on the internet.<br />
The requirements for passphrase length and<br />
complexity have been increased in the current<br />
version of the Australian Government Information<br />
<strong>Security</strong> Manual (ISM), released in March <strong>2014</strong>.<br />
What can be done?<br />
Continually increasing the length and complexity<br />
requirements for your system users can be<br />
cumbersome. Users tend to have difficulty<br />
remembering long, complex passphrases<br />
without writing them down.<br />
Agencies can consider implementing additional<br />
authentication measures, such as multi-factor<br />
authentication. This decreases the reliance on long,<br />
complex passphrases. Multi-factor authentication<br />
means choosing two or more of the following<br />
authentication methods:<br />
• y something one knows, such as a passphrase or<br />
response to a challenge or question<br />
• y something one has, such as a passport, physical<br />
token or identity card<br />
• y something one is, such as biometric data, like a<br />
fingerprint or face geometry.<br />
The theft of user credentials can make breaking<br />
into the most well defended networks a walk in<br />
the park. Strengthening agency passphrase policy is<br />
critical to ensuring your agency is a hard target for<br />
malicious intruders.<br />
The ISM is available from the <strong>ASD</strong> website.<br />
Issue #13 – June <strong>2014</strong> Page 3
Watch that Webmail<br />
Web-based email, or webmail, is a convenient<br />
way to communicate from anywhere, at any time.<br />
Webmail is email that is accessed through a web<br />
browser – such as Windows Live Mail, Gmail, Yahoo<br />
or email provided by Internet Service Providers.<br />
However, government agencies using webmail for<br />
business purposes should be aware of the security<br />
risks of this approach.<br />
Government agencies have their own security<br />
measures for handling email and other sensitive<br />
communications. Employees using a webmail<br />
account for sensitive business information<br />
will not have these same protections for their<br />
communications. This increases the risk of<br />
unauthorised disclosure – and in some cases, this<br />
may even breach legislative requirements.<br />
It is also important to note that agencies may<br />
not have full control over your data when using a<br />
webmail service. Service providers are subject to<br />
the laws and regulations of the country where they<br />
are based. This may involve a number of countries,<br />
depending on where the data is stored and<br />
processed and where it transits.<br />
Foreign governments may have the right to lawfully<br />
access the data held by the webmail service without<br />
user knowledge. It may also be difficult to sanitise<br />
or clean up data spills in the case of a data leak.<br />
<strong>ASD</strong> has seen malicious emails that have been<br />
sent to government agencies also forwarded onto<br />
users’ personal webmail accounts, which can lead<br />
to the compromise of the device used to access<br />
the webmail – such as a personal mobile phone<br />
or tablet. In some cases, the device may already<br />
be compromised (for example, if you are using a<br />
public terminal or a device running outdated and<br />
vulnerable software.)<br />
If you and your colleagues become accustomed<br />
to seeing webmail used for business, there is the<br />
danger that it will be more difficult to detect the<br />
commonly used intrusion technique of ‘spoofing’.<br />
This is where a webmail account is set up to appear<br />
as if it is a legitimate user, to trick the receiver<br />
into opening the email and clicking on a malicious<br />
link or attachment.<br />
If your agency does allow webmail use, it is recommended that you:<br />
• use your agency’s email service rather than webmail when accessing email from your<br />
work network<br />
• maintain separate accounts for work and personal purposes<br />
• send only publicly available, unclassified government information over webmail –<br />
never send sensitive or classified information<br />
• ensure that your webmail software is up to date with<br />
anti-virus installed<br />
• use a strong and unique password or multi-factor<br />
authentication to enhance the security of your account.<br />
More information is available at the <strong>ASD</strong> website in the Protect<br />
publication Implications of Using Webmail for Government Business.<br />
Issue #13 – June <strong>2014</strong> Page 4
The Top 4<br />
The Top 4<br />
for Penguins<br />
for Penguins<br />
In today’s<br />
environment, most<br />
organisation workstations use<br />
Microsoft Windows or Linux operating<br />
systems (or a combination of both).<br />
Implementation of the Top 4 in a Linux<br />
environment presents different challenges<br />
to a Windows operating system, particularly<br />
application whitelisting. <strong>ASD</strong> has released<br />
a new document to assist organisations<br />
in implementing the Top 4 on Linux. This<br />
advice complements <strong>ASD</strong>’s previously<br />
published guidance document<br />
Implementing the Top 4 in a<br />
Windows Environment.<br />
continued on page 6<br />
Issue #13 – June <strong>2014</strong> Page 5
The Top 4<br />
for Penguins<br />
Application whitelisting on Linux can be very difficult to implement<br />
due to the high amount of resources required for development<br />
and maintenance. While administrators can use the AppLocker<br />
or Software Restriction Policies on Windows-based workstations,<br />
equivalent mechanisms are not present in either the core Linux<br />
kernel or other popular Linux distributions.<br />
However, this does not mean that it can’t be done. <strong>ASD</strong> is focussed<br />
on technical solutions that are achievable, effective and practical<br />
in the government environment. As a result, <strong>ASD</strong>’s The Top 4 in a<br />
Linux Environment provides not only guidance on how to implement<br />
application whitelisting on Linux, but also technical advice on how to<br />
harden a Linux machine without it, while still ensuring a comparable<br />
level of security to a Top 4-hardened Windows machine. These<br />
include commercial solutions, SELinux or AppArmour policies, and the<br />
use of custom Linux security modules. The document also provides<br />
technical guidance on patching applications, patching the operating<br />
system and restricting the number of users with administrative<br />
privileges on Linux.<br />
The Top 4 in a Linux Environment is available on <strong>ASD</strong>’s website<br />
asd.gov.au with a suite of publications designed to assist in<br />
implementation of the Top 4 strategies.<br />
The Top 4 Strategies to Mitigate Targeted <strong>Cyber</strong> Intrusions has<br />
been shown to prevent at least 85% of cyber intrusion techniques<br />
when implemented as a package. These strategies are based on<br />
those intrusion techniques which target the workstation. The Top 4<br />
strategies are:<br />
1. Application whitelisting<br />
2. Patching applications<br />
3. Patching operating systems<br />
4. Restricting administrator privileges<br />
<strong>ASD</strong> Contact Details<br />
For non-urgent and general ICT security enquiries:<br />
Email: asd.assist@defence.gov.au<br />
For urgent and operational government ICT security matters:<br />
Phone: 1300 CYBER1 (1300 292 371, select 1 at any time, or<br />
Complete the cyber security incident report form at www.asd.gov.au<br />
Issue #13 – June <strong>2014</strong> Page 6