Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Department of Defence ASD Cyber Security Bulletin

advertisement 
Issue #11 – August 2013
ASD CYBER SECURITY BULLETIN
A time for leadership
Cyber security must be given due diligence across
the management of Australian government
organisations. We all hold information that affects
the lives of the public. Be it personal, financial or
even security information, we have a responsibility
to protect that data. Just like we have to be
accountable in our corporate finance dealings,
we are also obligated to protect our information
and networks.
Senior executives are the key to leading the charge
in strengthening the security posture of their
organisations. Without strong senior leadership
and real commitment to improving network and
information security, the success of malicious cyber
activity will not diminish.
Organisational leaders can enable and resource
their ICT security staff and programs to not
only implement secure practices now, but also
incorporate security requirements into future
projects and planning. This can then be bolstered
with staff education programs to improve the
overall security culture of agencies.
Ongoing concerns about the level and impact
of cyber intrusions led the Attorney-General’s
Department to now require the application of
ASD’s ‘Top 4’ Strategies to Mitigate Targeted Cyber
Intrusions be mandatory under the Protective
Security Policy Framework. This will help make
Australian government networks among the hardest
to compromise.
ASD – as the Commonwealth authority on cyber
security – will continue to provide advice and
assistance to agencies to strengthen their ICT
security. ASD aims to enable senior leaders to
devote adequate attention and resources to this top
national security priority.
Now is the time for leadership.
Joe Franzi is the Assistant Secretary for Cyber
Security at the Australian Signals Directorate.
Issue #11 – August 2013
Inside this issue
A time for leadership................... 1
Avoid being caught in a
pinch overseas.............................. 2
Think before you BYOD................. 3
Coming Soon: The Australian
Cyber Security Centre .................. 4
Catch, Patch, Match...................... 4
www.onsecure.gov.au
ASD Contact Details
For non-urgent and general ICT
security enquiries:
Email: asd.assist@defence.gov.au
For urgent and operational
government ICT security matters:
Phone: 1300 CYBER1 (1300 292 371)
select 1 at any time
OR
Complete the cyber security incident
report form at www.asd.gov.au
Reporting incidents helps ASD to:
• understand threats to Australia
government systems
• inform other threatened agencies
• develop defensive policy and practices
Page 1
Avoid being caught in a
pinch overseas
Travelling overseas with an electronic device can
make travel easier and more convenient, but it
also carries security risks that all individuals need
to consider. In particular, Government employees
should be aware that the compromise of your
device could have an impact on your department,
its information and its reputation.
Claire from the Department of the Prime Minister
and Cabinet went on a private trip overseas in
mid-2012. Before she left, her ICT security team
proactively briefed her on the personal security
of her mobile devices while she was away. They
instructed her to keep her phone on her person at
all times and gave her a list of things to look out for
that may indicate a compromise.
• Remove all non-essential data from the device,
particularly sensitive information.
• Disable any feature or software not required for
the trip. This will limit software vulnerabilities.
• Disable Bluetooth and wireless capabilities and
any features that allow the device to ‘auto-join’ a
network.
• Ensure strong passwords are used.
• Back up all your data before you travel. If your
device is compromised you may not be able to
recover it.
Upon her return, Claire started to notice her phone
had a significantly shorter battery life than usual
and wasn’t performing as reliably as it previously
had. These were consistent with the signs of a
malware compromise that she had been warned
about. She sought advice and her ICT security team
directed her to restore her phone to factory settings
and change her passwords on all email based
accounts.
“I had followed all advice apart from a 10-20
minute window when I left my phone in my hotel
room while I popped down the hall. I also used my
phone once or twice to connect to hotel wireless
networks to check personal emails…Next time I will
be even more vigilant than I was this time around!”
Claire’s experience highlights the risk to security
when you travel overseas with an electronic device.
This risk is elevated when Government information
is stored or communicated on that device. While
you are travelling it is your responsibility to ensure
your information remains secure.
ASD’s Travelling overseas with an electronic device
outlines steps you can take before, during and after
your travel to maximise the security of your device
and the information stored on it to help mitigate
against scenarios such as Claire’s.
Before you travel
• Consult your ICT security staff to ensure updates,
patches, encryption and antivirus software are
installed on your device. Check if there are
emergency information sanitisation procedures.
• If you are provided with an agency device such
as a laptop, check what restrictions there are on
its use.
Issue #11 – August 2013
While you are travelling
• Maintain physical control over devices by keeping
them in your possession and not checking them
in as luggage.
• Do not connect to open Wi-Fi networks, only
wireless communications that are needed and
can be secured should be enabled. Make use
of your agency Virtual Private Network to use
the internet to ensure your browsing traffic is
protected.
• Do not store or communicate information above
the classification of the device.
• Avoid using non-agency controlled web-based
email services for business purposes.
• Clear your web browser after each use, including
deleting history files, cache, cookies, URL and
temporary internet files.
• Avoid connecting USB devices or playing
illegitimate CDs and DVDs on your agency laptop.
Page 2
When you return
• Advise your ICT security team if the device was
taken out of your possession or if you left it
unattended in your hotel room at any point.
They will be able to check the device for any
malicious software or evidence of compromise.
• All passwords associated with a mobile device
should be changed upon return from overseas
travel.
By following these steps you can reduce the risks
of travelling overseas with an electronic device.
In Claire’s case, the diligence of her ICT security
team meant that the potential harm caused by
the compromise of her mobile phone was very
limited and the risk to government low.
For more information see ASD’s Protect
publication Travelling overseas with an electronic
device (December 2012).
Think before you BYOD
Bring Your Own Device (BYOD) programs are
becoming increasingly popular as government
and businesses adopt flexible working trends and
employees require greater mobility. ASD regards
BYOD as a subset of enterprise mobility. Enterprise
mobility is about enabling employees to perform
work in specified business-case scenarios using
devices such as smartphones, tablets and laptops
and technologies that facilitate remote access to
data.
A well implemented enterprise mobility scheme
can provide greater freedom, convenience
and flexibility for employees, and enables
organisations to take advantage of new
technology faster, reduce hardware costs and
improve productivity. However, these schemes
also carry risks to security which must be
considered and mitigated against.
In June, ASD released a new guide titled Risk
Management of Enterprise Mobility Including
Bring Your Own Device. This guide provides advice
on how to implement enterprise mobility in your
organisation with due consideration of business
opportunities, compliance obligations, personnel
resources, budget limitations, and security risks.
ASD aims to help you understand the security
risks, and how to manage them, in the mobility
space. These can be summarised in the four ‘P’s
of enterprise mobility: purpose, planning, policy
and polish.
The first step is establishing a purpose.
Organisations need to have a strong business
Issue #11 – August 2013
case to establish an enterprise mobility scheme.
Consider the benefits, the risks, and the resources
that will be required, and whether enterprise
mobility will enhance users’ ability to do business.
The second step is planning. It is crucial you take
the time to get this right. You need to consider the
different options available and make an informed
risk-based decision. Once you have decided who
you are trying to ‘make mobile,’ the next questions
should be what information do they need access
to, and how are they going to access it.
The third step is to develop and communicate
your policy. This includes education and training
on what data can be accessed, stored and
communicated to which devices and by which
applications. A key aspect of this stage is your
acceptable use policy. This is what communicates
your expectations on employee behaviour,
including what risk management controls they
need to apply on your behalf.
Finally, you need to continually polish your
program and review your usage policies
where required. This is more than just ongoing
management and technical support and requires
monitoring of the scheme, including by reviewing
various logs. You need to have regular reporting
to senior management to help them understand
and address unacceptable risks. This will allow
senior management to assess whether the
benefits of enterprise mobility to the organisation
justify the risks and costs.
JUNE 2013
Risk Management of Enterprise Mobility
Including Bring Your Own Device If organisations take into account ASD’s guide
Risk Management of Enterprise Mobility Including
Bring Your Own Device they will be well on
the way to establishing an efficient and secure
enterprise mobility scheme.
This publication and further resources are
available on www.onsecure.gov.au and
www.asd.gov.au
Page 3
Coming Soon: The Australian Cyber Security Centre
In January of this year the establishment of the new Australian Cyber Security Centre (ACSC) was announced.
The development of the new ACSC is an important government initiative to ensure that Australian networks
are amongst the hardest to compromise in the world.
The ACSC will be located in a state-of-the-art facility within the new Ben Chifley Building in Canberra, also
home to ASIO headquarters. Importantly, it will create a hub for greater collaboration with the private sector,
state and territory governments, and international partners, to combat the full breadth of cyber threats – a
genuinely new and unique national capability.
ASD’s Head of Cyber and Information Security, Major General Stephen Day, recently addressed the Australian
Defence Magazine (ADM) Cyber Security Summit stating:
“
ASD will continue with the central role we currently play in cyber security. ASD will provide the
majority of the staff, about 73%, and the bulk of the capability, for the new centre.
And, reflecting the majority contribution of ASD, an ASD officer will be the centre’s coordinator. I will
be the first incumbent.
The centre will build upon the fusion model of the current CSOC.
It will combine the cyber security capabilities from ASD, ASIO, the Attorney-General’s Department, the
Australian Federal Police and the Australian Crime Commission in a single location.
I know there is some confusion out there about who in government is responsible for what in cyber.
One of my intentions is that the centre will represent a one-stop shop for cyber security, 1800 CYBER
if you will.
Behind the shop front we will work out who is best positioned to deal with the issue at hand.
”
The full speech to the ADM Cyber Security Summit is available on the Media Room section on the ASD
website.
Catch, Patch, Match
In April 2013, the Top 4 Strategies to Mitigate Targeted Cyber
Intrusions became mandatory for Australian Government agencies
under the Protective Security Policy Framework (PSPF). The new
mandatory requirement in the PSPF recognises the effectiveness
of the Top 4 strategies in mitigating targeted cyber intrusions. The
Top 4 strategies can be summarised as Catch, Patch, Match:
CATCH malicious software with a whitelist;
PATCH applications and operating systems; and
MATCH the right people with the right access.
TOP 4 STRATEGIES
So what does it all mean?
Issue #11 – August 2013
malicious software with a whitelist.
mitigates
at least
your applications and operating system.
the right people with the right privileges.
of targeted
cyber intrusions
Page 4
CATCH
Malicious software (commonly referred to as
‘malware’) can execute on your computer without
you even knowing that it’s on your system. One of
the most effective ways to stop this happening is to
use an application whitelist, so that only specifically
selected programs can run on your system. This can
prevent malicious and unauthorised software from
executing.
Application whitelisting has the advantage of not
requiring daily definition updates, and allows the
administrator to control which programs can be run
on the network.
PATCH
Patching your applications and operating systems
is vital in preventing attackers from exploiting
your network. A patch is a small piece of software
designed to update a program or fix problems.
You may have noticed automatic software updates
running on your home PC – these are important in
making sure that your application and operating
system are up to date and protected against current
threats. It is important to patch your organisation’s
systems to protect your most critical assets and data.
MATCH
So why is it so important to match the right people
with the right access?
It’s time to look at your network and check whether
every user with administrative privileges needs to
have them. It may not seem important, but limiting
administrative privileges is a critical part of helping
to stop malware from spreading, hiding in your
network, and compromising your system.
The more users with administrative privileges,
the greater the risk when one of those users is
compromised. Accounts that grant a high level of
access should be restricted to only those users that
need them.
How does it all work?
When used as a package, the Top 4 mitigation
strategies help in achieving a ‘defence-in-depth’
ICT system. The Top 4 strategies enable multiple
lines of defence which can help prevent low to
moderately sophisticated cyber intrusions. Spearphishing is the most common intrusion technique
seen by ASD’s Cyber Security Operations Centre
(CSOC). A socially engineered e-mail can contain
an attachment in a common format (for example,
a PDF or JPEG) that can exploit a vulnerability once
the user opens it.
If the application with the vulnerability has been
patched, the malware will not be able to exploit
that vulnerability. If the application (or operating
system) has not been patched, the malware can
still be prevented from executing if there is an
application whitelist stopping the program from
running. If the system is compromised and the
user does not have unnecessary administrative
privileges, attackers will not have such a high level
of access to the system.
At least 85% of the cyber intrusion techniques
responded to by ASD could have been mitigated by
implementing Catch, Patch, Match as a package.
Want more info?
For more information on the Top 4 and the
Strategies to Mitigate Targeted Cyber Intrusions,
please visit www.asd.gov.au.
So what’s the best way to do this?
1.Identify the tasks which absolutely require
administrative privileges to be performed, and
the staff who are required (and authorised) to
carry out these tasks.
2.Create separate administrative accounts for
those staff, with the least level of privilege that
is required for them to complete the tasks that
require administrative access.
3.Ensure that these administrative accounts do not
have the ability to access the internet or read
email. If possible, ensure that administrative
access is performed on a separate computer that
is used for day-to-day tasks.
Issue #11 – August 2013
1
2
3
4
Page 5
Related documents
PDDBI
PDDBI
Tips for supporting students to attend and listen in the classroom
Tips for supporting students to attend and listen in the classroom
The number of children identified with an autism spectrum disorder
The number of children identified with an autism spectrum disorder
apdf nov 4 - 0910 sakada
apdf nov 4 - 0910 sakada
Jorge Valenzuela
Jorge Valenzuela
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
Day 4 Index - 507 Access 13, 15, 40, 56, 71, 76
ASD in the Early Years 2016
ASD in the Early Years 2016
ASD Transition Statement - Primary (docx
ASD Transition Statement - Primary (docx
solving national security challenges with information technology by
solving national security challenges with information technology by
Download
advertisement