Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

ISMF Guideline 18 - Endpoint protection (including smartphones

advertisement 
OCIO/G4.18
Government guideline on cyber security
ISMF Guideline 18
Endpoint protection (incl. smartphones and portable devices)
BACKGROUND
The SA Government’s ICT services environment is essential for delivering services within
government and to the community. This dependence on information systems and services
requires ongoing and sustained device management to reduce service outages and information
theft or corruption in light of new and emerging security vulnerabilities and threats.
The opportunity to connect a variety of privately-owned and corporate devices (such as
smartphones and tablets) to the government’s computing network poses an increasingly important
risk.
Endpoint protection is an umbrella term for security techniques that focus on the devices that are
connected to the network. It requires that each computing device on a network complies with a set
of standards for network access, and monitoring the status, activities, software, authorization and
authentication of connected devices.
The Australian Government’s Defence Signals Directorate has established that most cyber
intrusion techniques could be mitigated by implementing the following key practices1:
1. Catching malicious software through Endpoint application whitelisting
2. Patching each Endpoint operating system and application vulnerability
3. Matching the right people with appropriate privileges on the system
Together with a number of additional requirements related to Endpoint protection, they have been
adopted as ISMF Standard 1412. This guideline supports implementation of ISMF Policy Statement
18.
GUIDANCE
This guideline has been developed to provide information concerning the measures that should be
implemented to provide appropriate levels of protection for Endpoint devices.
1
Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate, Australian Government.
2
ISMF Standard 141 is introduced in ISMF version 3.2.0
ISMF Guideline 18
WHITELISTING
Whitelisting of applications can form an effective component of an Endpoint “Defense in Depth”
security strategy. In simple terms, this practice only allows trusted applications to run while
blocking all others. Application whitelisting has been established as the number one security
practice in terms of return on investment34.
Controls S141.2 and S141.5 issued under ISMF Standard 141 require Agencies to consider
implementing application whitelisting to prevent the use of applications that are not sanctioned by
the business, have not been adequately tested or are not required by the user to perform their
duties, and remove or otherwise disable non-essential software and functionality (including
browser and web navigation plug-ins) according to the following guidance:
Applicability
All classifications
Guidance
References
The Business Owner should establish a formal policy prohibiting
the use of unauthorized Endpoint device applications prior to
commissioning Endpoint devices into the operating
environment.
ISMF Standard 54
Responsible Parties should implement processes for
authorising applications as approved by the Business Owner
prior to their deployment into the operating environment. These
processes should utilise up-to-date tools and services5 for
identifying and managing applications, such as tools with
automated whitelist and exception management.
ISMF Standard 54
Responsible Parties should use suitable configuration
techniques to control all authorised and implemented
applications.
ISMF Standard 113
Examples include techniques based on establishing trust with
known application publishers and whitelisting services, or
controlled patch management systems.
[SLC] Sensitive:
Legal or
Commercial
[I3] Integrity 3
Responsible Parties should deploy Endpoint applications based
on device user’s role-specific functions and activities (need-touse basis). Role-based application execution privileges may be
applied according to the best-practice guidance provided in
section PRIVILEGES.
ISMF Standard 78
Responsible Parties should conduct at least quarterly Endpoint
application reviews, and examine any unapproved applications.
ISMF Standard 54
Responsible Parties should audit log and monitor all operational
application updates, and analyse and report whitelisting
discrepancies to the Business Owner as needed, but at least
quarterly.
ISMF Standard 113
3
Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate, Australian Government
Application Whitelisting Explained, Australian Signals Directorate, Australian Government
5 Examples of contemporary tools include the Bit9 Security Platform, Lumension Application Control and Kaspersky
Endpoint Security suite.
4
Government guideline on cyber security
Endpoint protection v1.0
Page 2 of 10
ISMF Guideline 18
PATCHING
Patching devices, particularly the operating systems and applications, is a highly effective security
practice. It mitigates exploitation of known vulnerabilities.
In support of control S141.2, Responsible Parties should maintain the operating system and
installed applications with relevant patches as provided by the manufacturer following best practice
guidance.
Applicability
All classifications
[SLC] Sensitive:
Legal or Commercial
[A3] Availability 3
Guidance
References
Responsible Parties should monitor vulnerability
notifications from device or application vendors on a daily
basis (e.g. through authoritative vulnerability notification
services).
ISMF Standard 121
Responsible Parties should undertake vulnerability risk
assessment and patching on all Endpoint devices to the
current security patch level (n) within 48 hours of patch
availability.
ISMF Standard 121
Responsible Parties should implement a strategy for
periodically scanning or otherwise monitoring all Endpoint
devices for known vulnerabilities and appropriate patch
implementation. Additional automated tools and utilities
may assist in this undertaking6.
ISMF Standard 121
Responsible Parties should have in place defined
procedures for establishing, documenting, maintaining and
changing the Endpoint patch configuration, e.g. as part of
an overall Endpoint configuration management strategy.
ISMF Standard 116
Patching should be agreed with the Business Owner and
only performed after successful verification and testing
outside of the production environment.
ISMF Standard 53
ISMF Standard 50
Responsible Parties should consider compensating
controls, such as segmentation of networks, if keeping
security patch levels current within 48 hours is not practical
at all times.
ISMF Standard 84
ISMF Standard 134
Agencies should also weigh up the merits versus risks of permitting user-level accounts to selfinstall patches for approved agency endpoint applications and/or the operating system. This is
described in control S78.5 (Privilege Management) of the ISMF:
S78.5.
6
Agencies shall define and enforce policies and/or procedures defining what (if any)
software may be installed by non-privileged accounts (such as user accounts). Such
measures should factor in the relative value versus risk of permitting user accounts to
install security patches and updates to existing software that is present on the
Example tools include but are not limited to the Secunia Corporate Software Inspector, Lumension or Shavlik suites of tools
Government guideline on cyber security
Endpoint protection v1.0
Page 3 of 10
ISMF Guideline 18
information asset(s). Implementation of this control S78.5 and ISMF Standard 78
satisfies the requirements and objectives described by control 12.6.2 of the ISO/IEC
27002:2013 standard.
PRIVILEGES
Ensuring users are provided with adequate rather than excessive privilege is a prudent measure to
counter cyber threats. It helps to reduce Endpoint device misuse. Administrative privileges are
particularly significant, since over allocation of account privileges can exacerbate Endpoint device
compromise.
Control S141.3 under ISMF Standard 141 specifies that Responsible Parties should establish
procedures for the granting and revocation of administrative privileges while discouraging their use
unless explicitly required, according to the following best practice guidance:
Applicability
All classifications
[I3] Integrity 3
Guidance
References
Business Owners should integrate Endpoint device access privilege
management into the Agency’s information access policy (refer ISMF
Standard 76 Access control policy).
ISMF Standard 76
Responsible Parties should maintain and regularly review the security
mechanisms for granting and revoking end-point device privileges.
ISMF Standard 77
Responsible Parties should strictly assign end-point access privileges
based on a user’s functions and role, and to restrict access to
information assets they need to carry out their job.
ISMF Standard 78
Responsible Parties must not temporarily assign excessive privileges
(e.g. administrative privileges) to end-point device users, even
temporarily. When users need to perform privileged tasks, the
permission must be limited to the specific tasks. If this is not practical,
authorised administrators should perform the tasks. Consideration
should be given to implementing products to define and manage
access to administrator accounts (e.g. “Sudo”, “Run as…”). This
removes the need to share broad administrative privileges between
those requiring that level of access, as well as allowing access to be
defined only to the specific functions required in order to meet job
responsibilities.
ISMF Standard 78
Responsible Parties should prescribe suitable procedures and
authentication techniques that prevent privilege sharing, such as
shared Endpoint device logins.
ISMF Standard 94
Responsible Parties should log all privileged account allocations,
changes and activity for regular reviews.
ISMF Standard 80
Responsible Parties should review privileged allocations and
changes when significant employment changes occur, but at least
every three months.
ISMF Standard 77
Business Owners should authorise privileged Endpoint access (e.g.
ISMF Standard 80
Government guideline on cyber security
Endpoint protection v1.0
Page 4 of 10
ISMF Guideline 18
Applicability
Guidance
References
administrative privileges), and undertake a comprehensive review
relative to general user access rights at least quarterly.
INACTIVITY MEASURES FOR UNATTENDED DEVICES
Devices may be prone to being operational but unattended for extended periods (e.g. user(s)
remain logged-in with applications running). This provides easy access to the Endpoint device, its
information and the environment it is connected to. Inactivity measures can reduce this risk. They
limit how long an Endpoint can be unattended or inactive.
Controls S141.7 and S141.8 under ISMF Standard 141 require Responsible Parties to consider
additional controls for unattended or inactive Endpoint devices according to the following best
practice guidance:
Applicability
Guidance
References
Responsible Parties must implement measures to progressively limit
access to an Endpoint device, or revoke the device’s access to its
operating environment.
ISMF Standard 97
The following timeout measures should be considered:

Lock: clear or lock the Endpoint device screen to conceal
information from public view

Close: log the user out of applications, or the Endpoint device,
and require re-authentication. Discourage or disable silent reauthentication via cached credentials or background
re-authentication

End: ending application sessions, applications or connections on
inactive mobile or remote Endpoint devices outside the
organization's physical security controls, or de-provision devices
via remote wipe
All classifications
Sensitive
Integrity 2
Availability 2
Responsible Parties should consider implementing timeout activation
after15 minutes of inactivity.
ISMF Standard 97
Responsible Parties should implement timeouts not exceeding 2
minutes of system user inactivity for mobile or remote Endpoint
devices outside the organization's physical security controls. Any
inactivity measures should take into account business and technical
timeout constraints, including the impact of timeout measures on a
user’s ability to use the Endpoint device in a time-critical situation, or
the disruption of user-initiated background activities.
ISMF Standard 97
Responsible Parties should restricting mobile Endpoint device
connections to specified times during normal or extended office
hours, or predetermined or explicitly arranged time slots.
ISMF Standard 98
Government guideline on cyber security
Endpoint protection v1.0
Page 5 of 10
ISMF Guideline 18
MALICIOUS SOFTWARE PROTECTION
Malicious software (Malware), including viruses, trojans, ransomware, adware and backdoors
(covert channels,) is executable code designed to disrupt or undermine a computer system.
Without adequate protection, it can easily be introduced to an entire network from one infected
device often without the knowledge of the user. Once introduced, it can be used to gain access to
sensitive or classified information, or compromise an organisation’s service, system or information
availability and integrity.
Control S141.1 under ISMF Standard 141 requires Responsible Parties to deploy and maintain
appropriate anti-virus/anti-malware solutions encompassing Endpoint devices with consideration of
the following best practice guidance:
Applicability
Guidance
References
The Business Owner should establish a formal policy requiring that
all Endpoint devices used to conduct SA Government business
have fit-for-purpose anti-malware tools installed7.
ISMF Standard 54
Responsible Parties should consider anti-malware tools using
contemporary malware protection techniques and characteristic,
including:

reputation-based analysis, which determines trustworthiness
on external factors, such as software origin and known usage
history

heuristic analysis, which determines trustworthiness based
on software characteristics such as harmful instructions or
execution behaviours

cross-platform coverage, which means protection is provided
across Endpoint device platforms
All classifications
7
Responsible Parties should configure anti-malware tools to
automatically scan all files that are accessed on, or downloaded to
the Endpoint device.
ISMF Standard 54
Responsible Parties should implement a strategy for periodically
scanning or otherwise monitoring all Endpoint devices for known
malware.
ISMF Standard 54
Responsible Parties should update the tool’s data files for malware
identification on a daily basis.
ISMF Standard 54
Examples include the McAfee, Trend Micro and Kaspersky endpoint protection suites of tools.
Government guideline on cyber security
Endpoint protection v1.0
Page 6 of 10
ISMF Guideline 18
MOBILE AND PORTABLE DEVICES
Mobile and portable devices, such as smartphones, tablet or notebook computers, have unique
Endpoint protection concerns due to their personal nature (e.g. employee-owned devices),
technical capabilities (e.g. easy connectivity), and portability (e.g. convenience of use outside of
the organisation’s physical security controls).
In recognition of the unique risks of mobile Endpoint devices (also referred to as mobility devices),
Agencies should develop and implement specific policies, procedures and controls to prevent
unauthorised device access with consideration of the following best practice guidance:
Applicability
Guidance
Business Owners should establish a policy governing the use
of mobile Endpoint devices. It will need to consider if ‘bringyour-own-device’ is an appropriate practice, and in the
affirmative should address practice and procedures with
personnel’s use of personal assets in the workplace.
All classifications
Responsible Parties should manage all mobile Endpoint
devices through a Mobile Device Management tool as
approved by the Business Owner8.
Business Owners should require that mobile Endpoint devices
outside of the organisation’s physical security controls are not
left unattended, and physical locks are used to secure
unattended equipment.
Responsible Parties should raise awareness of the risks
associated with web-based information storage, which may not
be secure9.
Responsible Parties should implement encryption of sensitive
information on mobile Endpoint devices according to the
Agency information security policies.
For Official Use Only
Sensitive
Integrity 3
The Business Owner must establish procedures that include
sensitive mobile and portable device information output,
transfer, reallocation and disposal. This may be achieved by
requiring the exclusive use of secure office printers, secure
data transfer services, or device return to the office where
there are appropriate facilities for sanitisation or disposal.
Business Owners should implement formal procedures for
accessing business information across public networks,
including rules and advice on restrictions to connect mobile
Endpoint devices to public networks, and usage in public
places.
References
ISMF Standard 59
ISMF Standard 131
ISM Control 1195
ISMF Standard 82
ISMF Standard 25
ISMF Standard 139
ISMF Standard 59
ISMF Standard 108
ISMF Standard 44
ISMF Standard 45
ISMF Standard 68
ISMF Standard 101
8
Examples include the Citrix or MobileIron Mobile Device Management suites.
E.g. cloud-based drop boxes or file drives, especially if they are hosted off-site where stored information may be
subjected to unauthorised access or interception during storage or transit in foreign jurisdictions.
9
Government guideline on cyber security
Endpoint protection v1.0
Page 7 of 10
ISMF Guideline 18
ENDPOINT SECURITY AWARENESS
Overall security is only as strong as its weakest link. Despite technology advances, user behaviour
(involving people and processes) may be the weakest security link. Awareness and understanding
of end user security issues, roles and responsibilities in implementing organisational security
policies and procedures is important.
In support of ISMF Standard 25, Agencies should provide Endpoint security awareness and
education according to the following good practice guidance:
Applicability
Guidance
References
Business Owners should include Endpoint-specific security
awareness and training in the Agency’s Information Security
Awareness Program. It must include contemporary Endpoint
security issues and adversary techniques, including:
All classifications

Unobserved tampering with mobile Endpoint devices

Shoulder surfing while Endpoint devices are used in public
places

Social engineering techniques to tempt, entice or compel
users into providing access to Endpoint devices, their
sensitive information, or information about Endpoint security
measures and practices

Connecting Endpoint devices to USB devices and privately
owned devices, or connecting them to other networks
Business Owners should establish and document Endpoint
device responsibilities in appropriate policies and procedures,
which must include:


ISMF Standard 25
ISMF Standard 25
ISMF Standard 27
Usage obligations for appropriate Endpoint device practices
during and after employment and engagement
ISMF Standard 131
Reporting obligations, mechanisms and procedures for
suspicious activities and incidents
Business Owners should demonstrate the effect that Endpoint
security breaches have by:

Showing relevance by providing the background and
rationale for mitigation strategy and a threat’s incidence and
prevalence, e.g. through anecdotal evidence of intrusions and
attempts at the organisation and similar organisations

Demonstrating and involving users in actions that lead to
incidents in order to cultivate a healthy level of vigilance, e.g.
penetration tests or social engineering exercises

Proving the effects of mitigation by showing indicators of
reduced incident frequency and severity.
Government guideline on cyber security
Endpoint protection v1.0
ISMF Standard 25
Page 8 of 10
ISMF Guideline 18
REFERENCES, LINKS & ADDITIONAL INFORMATION
1. OCIO/F4.1 Government of South Australia Information Security Management Framework
[ISMF]
2. PC030 Government of South Australia Protective Security Management Framework [PSMF]
3. Australian Government Protective Security Policy Framework [PSPF]
4. Australian Government Information Security Manual, Australian Signals Directorate
5. ISMF Standard 141 (Endpoint protection), Government of South Australia
6. Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate
7. Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details, Australian Signals
Directorate, Australian Government
8. Application Whitelisting Explained, Australian Signals Directorate, Australian Government
9. Patching evaluated products, Australian Signals Directorate, Australian Government, Canberra.
10. Minimising Administrative Privileges Explained, Australian Signals Directorate
11. Guide to information security, Office of the Australian Information Commissioner, Australian
Government
12. Critical Controls for Effective Cyber Defense, SANS Institute, United States
13. Application Whitelisting: Panacea or Propaganda, SANS Institute, United States
14. System Administrator - Security Best Practices, SANS Institute, United States
15. ISMF Guideline 21 (Storage devices and media), Government of South Australia
Government guideline on cyber security
Endpoint protection v1.0
Page 9 of 10
ISMF Guideline 18
This guideline does not aim to provide the reader with all of the responsibilities and obligations
associated with Endpoint protection. It is merely an overview of the information provided in
applicable government cyber security policy, applicable governance frameworks and the resources
and utilities available at the time of publication. It is highly recommended that agencies review
these documents in their entirety. The individual requirements of agencies will have direct bearing
on what measures are implemented to mitigate identified risk(s).
ID
OCIO_G4.18
Classification/DLM
PUBLIC-I2-A1
Issued
April 2014
Authority
State Chief Information Security Officer
Master document location
Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and
Standards\ISMF\v3.2\ISMFguidelines\ISMFguideline18(endpoint protection).docx
Records management
File Folder: 2011/15123/01 - Document number: 8287386
Managed & maintained by
Office of the Chief Information Officer
Author(s)
Christian Bertram CEA, MSIT, Enterprise Architect
Tony Stevens, Senior Analyst
Reviewer
Jason Caley CISM, MACS (CP), IP3P, CRISC, CEA, Principal Policy Adviser
Compliance
Discretionary
Next review date
March 2016
To attribute this material, cite the
Office of the Chief Information
Officer, Government of South
Australia, ISMF Guideline 18.
This work is licensed under a Creative Commons Attribution 3.0 Australia Licence
Copyright © South Australian Government, 2014.
Disclaimer
Related documents
Real Life examples of Geometry
Real Life examples of Geometry
ISMF Standard 141 - Endpoint protection
ISMF Standard 141 - Endpoint protection
Letter of Intent Contact Sheet - Bristol
Letter of Intent Contact Sheet - Bristol
ISMF Guideline 2 – An approach to risk assessment using the ISMF
ISMF Guideline 2 – An approach to risk assessment using the ISMF
File
File
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 6 – Cyber security in procurement activities (Word
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
ISMF Guideline 23 - Monitoring and event logs (Word, 1.8MB)
Relations and Functions
Relations and Functions
Download
advertisement