ISMF Guideline 18. OCIO/G4.18 Government guideline on cyber security. Endpoint protection (incl. smartphones and portable devices) BACKGROUND

Transcription

1 OCIO/G4.18 ISMF Guideline 18 Endpoint protection (incl. smartphones and portable devices) BACKGROUND The SA Government s ICT services environment is essential for delivering services within government and to the community. This dependence on information systems and services requires ongoing and sustained device management to reduce service outages and information theft or corruption in light of new and emerging security vulnerabilities and threats. The opportunity to connect a variety of privately-owned and corporate devices (such as smartphones and tablets) to the government s computing network poses an increasingly important risk. Endpoint protection is an umbrella term for security techniques that focus on the devices that are connected to the network. It requires that each computing device on a network complies with a set of standards for network access, and monitoring the status, activities, software, authorization and authentication of connected devices. The Australian Government s Defence Signals Directorate has established that most cyber intrusion techniques could be mitigated by implementing the following key practices 1 : 1. Catching malicious software through Endpoint application whitelisting 2. Patching each Endpoint operating system and application vulnerability 3. Matching the right people with appropriate privileges on the system Together with a number of additional requirements related to Endpoint protection, they have been adopted as ISMF Standard This guideline supports implementation of ISMF Policy Statement 18. GUIDANCE This guideline has been developed to provide information concerning the measures that should be implemented to provide appropriate levels of protection for Endpoint devices. 1 Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate, Australian Government. 2 ISMF Standard 141 is introduced in ISMF version 3.2.0

2 WHITELISTING Whitelisting of applications can form an effective component of an Endpoint Defense in Depth security strategy. In simple terms, this practice only allows trusted applications to run while blocking all others. Application whitelisting has been established as the number one security practice in terms of return on investment 34. Controls S141.2 and S141.5 issued under ISMF Standard 141 require Agencies to consider implementing application whitelisting to prevent the use of applications that are not sanctioned by the business, have not been adequately tested or are not required by the user to perform their duties, and remove or otherwise disable non-essential software and functionality (including browser and web navigation plug-ins) according to the following guidance: [SLC] Sensitive: Legal or Commercial [I3] Integrity 3 The Business Owner should establish a formal policy prohibiting the use of unauthorized Endpoint device applications prior to commissioning Endpoint devices into the operating environment. Responsible Parties should implement processes for authorising applications as approved by the Business Owner prior to their deployment into the operating environment. These processes should utilise up-to-date tools and services 5 for identifying and managing applications, such as tools with automated whitelist and exception management. Responsible Parties should use suitable configuration techniques to control all authorised and implemented applications. Examples include techniques based on establishing trust with known application publishers and whitelisting services, or controlled patch management systems. Responsible Parties should deploy Endpoint applications based on device user s role-specific functions and activities (need-touse basis). Role-based application execution privileges may be applied according to the best-practice guidance provided in section PRIVILEGES. Responsible Parties should conduct at least quarterly Endpoint application reviews, and examine any unapproved applications. Responsible Parties should audit log and monitor all operational application updates, and analyse and report whitelisting discrepancies to the Business Owner as needed, but at least quarterly. ISMF Standard 113 ISMF Standard 78 ISMF Standard Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate, Australian Government 4 Application Whitelisting Explained, Australian Signals Directorate, Australian Government 5 Examples of contemporary tools include the Bit9 Security Platform, Lumension Application Control and Kaspersky Endpoint Security suite. Page 2 of 10

3 PATCHING Patching devices, particularly the operating systems and applications, is a highly effective security practice. It mitigates exploitation of known vulnerabilities. In support of control S141.2, Responsible Parties should maintain the operating system and installed applications with relevant patches as provided by the manufacturer following best practice guidance. [SLC] Sensitive: Legal or Commercial [A3] Availability 3 Responsible Parties should monitor vulnerability notifications from device or application vendors on a daily basis (e.g. through authoritative vulnerability notification services). Responsible Parties should undertake vulnerability risk assessment and patching on all Endpoint devices to the current security patch level (n) within 48 hours of patch availability. Responsible Parties should implement a strategy for periodically scanning or otherwise monitoring all Endpoint devices for known vulnerabilities and appropriate patch implementation. Additional automated tools and utilities may assist in this undertaking 6. Responsible Parties should have in place defined procedures for establishing, documenting, maintaining and changing the Endpoint patch configuration, e.g. as part of an overall Endpoint configuration management strategy. Patching should be agreed with the Business Owner and only performed after successful verification and testing outside of the production environment. Responsible Parties should consider compensating controls, such as segmentation of networks, if keeping security patch levels current within 48 hours is not practical at all times. ISMF Standard 121 ISMF Standard 121 ISMF Standard 121 ISMF Standard 134 ISMF Standard 116 ISMF Standard 53 ISMF Standard 50 ISMF Standard 84 Agencies should also weigh up the merits versus risks of permitting user-level accounts to selfinstall patches for approved agency endpoint applications and/or the operating system. This is described in control S78.5 (Privilege Management) of the ISMF: S78.5. Agencies shall define and enforce policies and/or procedures defining what (if any) software may be installed by non-privileged accounts (such as user accounts). Such measures should factor in the relative value versus risk of permitting user accounts to install security patches and updates to existing software that is present on the 6 Example tools include but are not limited to the Secunia Corporate Software Inspector, Lumension or Shavlik suites of tools Page 3 of 10

4 information asset(s). Implementation of this control S78.5 and ISMF Standard 78 satisfies the requirements and objectives described by control of the ISO/IEC 27002:2013 standard. PRIVILEGES Ensuring users are provided with adequate rather than excessive privilege is a prudent measure to counter cyber threats. It helps to reduce Endpoint device misuse. Administrative privileges are particularly significant, since over allocation of account privileges can exacerbate Endpoint device compromise. Control S141.3 under ISMF Standard 141 specifies that Responsible Parties should establish procedures for the granting and revocation of administrative privileges while discouraging their use unless explicitly required, according to the following best practice guidance: [I3] Integrity 3 Business Owners should integrate Endpoint device access privilege management into the Agency s information access policy (refer ISMF Standard 76 Access control policy). Responsible Parties should maintain and regularly review the security mechanisms for granting and revoking end-point device privileges. Responsible Parties should strictly assign end-point access privileges based on a user s functions and role, and to restrict access to information assets they need to carry out their job. Responsible Parties must not temporarily assign excessive privileges (e.g. administrative privileges) to end-point device users, even temporarily. When users need to perform privileged tasks, the permission must be limited to the specific tasks. If this is not practical, authorised administrators should perform the tasks. Consideration should be given to implementing products to define and manage access to administrator accounts (e.g. Sudo, Run as ). This removes the need to share broad administrative privileges between those requiring that level of access, as well as allowing access to be defined only to the specific functions required in order to meet job responsibilities. Responsible Parties should prescribe suitable procedures and authentication techniques that prevent privilege sharing, such as shared Endpoint device logins. Responsible Parties should log all privileged account allocations, changes and activity for regular reviews. Responsible Parties should review privileged allocations and changes when significant employment changes occur, but at least every three months. ISMF Standard 76 ISMF Standard 77 ISMF Standard 78 ISMF Standard 78 ISMF Standard 94 ISMF Standard 80 ISMF Standard 77 Business Owners should authorise privileged Endpoint access (e.g. ISMF Standard 80 Page 4 of 10

5 administrative privileges), and undertake a comprehensive review relative to general user access rights at least quarterly. INACTIVITY MEASURES FOR UNATTENDED DEVICES Devices may be prone to being operational but unattended for extended periods (e.g. user(s) remain logged-in with applications running). This provides easy access to the Endpoint device, its information and the environment it is connected to. Inactivity measures can reduce this risk. They limit how long an Endpoint can be unattended or inactive. Controls S141.7 and S141.8 under ISMF Standard 141 require Responsible Parties to consider additional controls for unattended or inactive Endpoint devices according to the following best practice guidance: Responsible Parties must implement measures to progressively limit access to an Endpoint device, or revoke the device s access to its operating environment. ISMF Standard 97 The following timeout measures should be considered: Lock: clear or lock the Endpoint device screen to conceal information from public view Close: log the user out of applications, or the Endpoint device, and require re-authentication. Discourage or disable silent reauthentication via cached credentials or background re-authentication End: ending application sessions, applications or connections on inactive mobile or remote Endpoint devices outside the organization's physical security controls, or de-provision devices via remote wipe Sensitive Integrity 2 Availability 2 Responsible Parties should consider implementing timeout activation after15 minutes of inactivity. Responsible Parties should implement timeouts not exceeding 2 minutes of system user inactivity for mobile or remote Endpoint devices outside the organization's physical security controls. Any inactivity measures should take into account business and technical timeout constraints, including the impact of timeout measures on a user s ability to use the Endpoint device in a time-critical situation, or the disruption of user-initiated background activities. Responsible Parties should restricting mobile Endpoint device connections to specified times during normal or extended office hours, or predetermined or explicitly arranged time slots. ISMF Standard 97 ISMF Standard 97 ISMF Standard 98 Page 5 of 10

6 MALICIOUS SOFTWARE PROTECTION Malicious software (Malware), including viruses, trojans, ransomware, adware and backdoors (covert channels,) is executable code designed to disrupt or undermine a computer system. Without adequate protection, it can easily be introduced to an entire network from one infected device often without the knowledge of the user. Once introduced, it can be used to gain access to sensitive or classified information, or compromise an organisation s service, system or information availability and integrity. Control S141.1 under ISMF Standard 141 requires Responsible Parties to deploy and maintain appropriate anti-virus/anti-malware solutions encompassing Endpoint devices with consideration of the following best practice guidance: The Business Owner should establish a formal policy requiring that all Endpoint devices used to conduct SA Government business have fit-for-purpose anti-malware tools installed 7. Responsible Parties should consider anti-malware tools using contemporary malware protection techniques and characteristic, including: reputation-based analysis, which determines trustworthiness on external factors, such as software origin and known usage history heuristic analysis, which determines trustworthiness based on software characteristics such as harmful instructions or execution behaviours cross-platform coverage, which means protection is provided across Endpoint device platforms Responsible Parties should configure anti-malware tools to automatically scan all files that are accessed on, or downloaded to the Endpoint device. Responsible Parties should implement a strategy for periodically scanning or otherwise monitoring all Endpoint devices for known malware. Responsible Parties should update the tool s data files for malware identification on a daily basis. 7 Examples include the McAfee, Trend Micro and Kaspersky endpoint protection suites of tools. Page 6 of 10

7 MOBILE AND PORTABLE DEVICES Mobile and portable devices, such as smartphones, tablet or notebook computers, have unique Endpoint protection concerns due to their personal nature (e.g. employee-owned devices), technical capabilities (e.g. easy connectivity), and portability (e.g. convenience of use outside of the organisation s physical security controls). In recognition of the unique risks of mobile Endpoint devices (also referred to as mobility devices), Agencies should develop and implement specific policies, procedures and controls to prevent unauthorised device access with consideration of the following best practice guidance: Business Owners should establish a policy governing the use of mobile Endpoint devices. It will need to consider if bringyour-own-device is an appropriate practice, and in the affirmative should address practice and procedures with personnel s use of personal assets in the workplace. ISMF Standard 59 ISMF Standard 131 Responsible Parties should manage all mobile Endpoint devices through a Mobile Device Management tool as approved by the Business Owner 8. Business Owners should require that mobile Endpoint devices outside of the organisation s physical security controls are not left unattended, and physical locks are used to secure unattended equipment. ISM Control 1195 ISMF Standard 82 Responsible Parties should raise awareness of the risks associated with web-based information storage, which may not be secure 9. ISMF Standard 25 ISMF Standard 139 Responsible Parties should implement encryption of sensitive information on mobile Endpoint devices according to the Agency information security policies. ISMF Standard 59 ISMF Standard 108 For Official Use Only Sensitive Integrity 3 The Business Owner must establish procedures that include sensitive mobile and portable device information output, transfer, reallocation and disposal. This may be achieved by requiring the exclusive use of secure office printers, secure data transfer services, or device return to the office where there are appropriate facilities for sanitisation or disposal. Business Owners should implement formal procedures for accessing business information across public networks, including rules and advice on restrictions to connect mobile Endpoint devices to public networks, and usage in public places. ISMF Standard 44 ISMF Standard 45 ISMF Standard 68 ISMF Standard Examples include the Citrix or MobileIron Mobile Device Management suites. 9 E.g. cloud-based drop boxes or file drives, especially if they are hosted off-site where stored information may be subjected to unauthorised access or interception during storage or transit in foreign jurisdictions. Page 7 of 10

8 ENDPOINT SECURITY AWARENESS Overall security is only as strong as its weakest link. Despite technology advances, user behaviour (involving people and processes) may be the weakest security link. Awareness and understanding of end user security issues, roles and responsibilities in implementing organisational security policies and procedures is important. In support of ISMF Standard 25, Agencies should provide Endpoint security awareness and education according to the following good practice guidance: Business Owners should include Endpoint-specific security awareness and training in the Agency s Information Security Awareness Program. It must include contemporary Endpoint security issues and adversary techniques, including: Unobserved tampering with mobile Endpoint devices Shoulder surfing while Endpoint devices are used in public places Social engineering techniques to tempt, entice or compel users into providing access to Endpoint devices, their sensitive information, or information about Endpoint security measures and practices Connecting Endpoint devices to USB devices and privately owned devices, or connecting them to other networks ISMF Standard 25 Business Owners should establish and document Endpoint device responsibilities in appropriate policies and procedures, which must include: Usage obligations for appropriate Endpoint device practices during and after employment and engagement ISMF Standard 25 ISMF Standard 27 ISMF Standard 131 Reporting obligations, mechanisms and procedures for suspicious activities and incidents Business Owners should demonstrate the effect that Endpoint security breaches have by: Showing relevance by providing the background and rationale for mitigation strategy and a threat s incidence and prevalence, e.g. through anecdotal evidence of intrusions and attempts at the organisation and similar organisations Demonstrating and involving users in actions that lead to incidents in order to cultivate a healthy level of vigilance, e.g. penetration tests or social engineering exercises Proving the effects of mitigation by showing indicators of reduced incident frequency and severity. ISMF Standard 25 Page 8 of 10

9 REFERENCES, LINKS & ADDITIONAL INFORMATION 1. OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] 2. PC030 Government of South Australia Protective Security Management Framework [PSMF] 3. Australian Government Protective Security Policy Framework [PSPF] 4. Australian Government Information Security Manual, Australian Signals Directorate 5. ISMF Standard 141 (Endpoint protection), Government of South Australia 6. Top 4 Mitigation Strategies to Protect Your ICT System, Australian Signals Directorate 7. Strategies to Mitigate Targeted Cyber Intrusions Mitigation Details, Australian Signals Directorate, Australian Government 8. Application Whitelisting Explained, Australian Signals Directorate, Australian Government 9. Patching evaluated products, Australian Signals Directorate, Australian Government, Canberra. 10. Minimising Administrative Privileges Explained, Australian Signals Directorate 11. Guide to information security, Office of the Australian Information Commissioner, Australian Government 12. Critical Controls for Effective Cyber Defense, SANS Institute, United States 13. Application Whitelisting: Panacea or Propaganda, SANS Institute, United States 14. System Administrator - Security Best Practices, SANS Institute, United States 15. ISMF Guideline 21 (Storage devices and media), Government of South Australia Page 9 of 10

10 This guideline does not aim to provide the reader with all of the responsibilities and obligations associated with Endpoint protection. It is merely an overview of the information provided in applicable government cyber security policy, applicable governance frameworks and the resources and utilities available at the time of publication. It is highly recommended that agencies review these documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s). ID OCIO_G4.18 Classification/DLM PUBLIC-I2-A1 Issued April 2014 Authority State Chief Information Security Officer Master document location Q:\SecurityRiskAssurance\Policy Development Sub-program\Policy and Standards\ISMF\v3.2\ISMFguidelines\ISMFguideline18(endpoint protection).docx Records management File Folder: 2011/15123/01 - Document number: Managed & maintained by Office of the Chief Information Officer Author(s) Christian Bertram CEA, MSIT, Enterprise Architect Tony Stevens, Senior Analyst Reviewer Jason Caley CISM, MACS (CP), IP3P, CRISC, CEA, Principal Policy Adviser Compliance Discretionary Next review date March 2016 To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Guideline 18. This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright South Australian Government, Disclaimer