Cyber Security Incident Reporting Scheme

Transcription

1 OCIO/G4.12a ISMF Guideline 12a Cyber Security Incident Reporting Scheme BACKGROUND Reporting cyber security incidents is a source of intelligence information that assists in the development of a greater understanding of any threats to South Australian Government assets. A holistic picture of the cyber threat environment can be used to assist other at risk agencies as well as aid in developing new policies, procedures, techniques and training measures to help prevent future incidents. The Cyber Security Incident Reporting Scheme is aimed at helping gain a greater understanding of all incidents that are impacting, or have the potential to impact, SA Government assets. GUIDANCE This guideline has been developed to assist agencies understand the Cyber Security Incident Reporting Scheme and implement it in to their agency s internal processes. This document should be read in conjunction with ISMF Standard 140. Emergency Management Act (2004) State Emergency Management Plan [SEMP] Protective Security Management Framework [PSMF] Information Security Management Framework [ISMF] ICT Support Plan Cyber Security Incident Reporting Scheme (ISMF Standard 140) ISMF Guideline 12a Cyber Security Incident Reporting Scheme (This Document) Figure 1 - Document relationship diagram

2 What is the Cyber Security Incident Reporting Scheme? As the Control Agency for ICT Failure, the Office of the CIO is tasked with the control and coordination of whole-of-government operational responses to cyber incidents. The Cyber Security Incident Reporting Scheme assists the Office of the Chief Information Officer (CIO) fulfil this role. This scheme is a replacement for the previous Notifiable Incident system and is based on similar incident reporting systems used within the other Australian government jurisidations and draws on the principles of the international standard for Information Security Incident Management (ISO/IEC 27035). All South Australian Government agencies and applicable suppliers have a requirement to report cyber security incidents and events which disrupt or are likely to disrupt ICT services in the South Australian Government to the Office of the CIO. this scheme does not replace an agency s internal incident management processes. Does the Cyber Security Incident Reporting Scheme replace my agency s incident management processes? The Scheme does not replace an agency s internal incident management processes and procedures. The Scheme runs in parallel and compliments existing agency arrangements to provides a holistic picture of the threat environment for government systems, as well as allowing the Office of the CIO to provide assistance to other agencies who may also be at risk. Why is there a need for the Cyber Security Incident Reporting Scheme? By being adequately informed the SA Government, can undertake a number of preventative or response measures, including: Notifying agencies of current threats that they need to be aware of and measures they can take to mitigate these threats. Developing new policies, procedures, techniques and training measures to help prevent future incidents. Implementing additional technical preventative measures such as blocking or filtering. Coordinating and prioritising government resources to investigate or respond to significant or multi-agency incidents. Reporting the information to relevant national resources and intelligence services. Providing regular reports to relevant governance committees on quantity and type of incidents occurring. Feedback to agencies via ad-hoc Security Bulletins and regular newsletters outlining the types of Events and Incidents occurring within the SA Government ICT environment. The Office of the CIO is committed to working with agencies to help ensure that the Cyber Security Incident Reporting Scheme improves the government s security posture as well as provides value to all relevant parties. Page 2 of 10

3 What is a Cyber Security Incident? The Cyber Security Incident Reporting Scheme uses two key definitions that must be considered: Cyber Security Event: An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant. Cyber Security Incident: A single or a series of unwanted or unexpected Cyber Security Events that have a significant probability of compromising business operations and threatening information security. All Agencies are responsible for reporting Cyber Security Events to the Office of the CIO Watch Desk. A Cyber Security Event being identified will not necessarily mean that an attempt has been successful or that there are any consequences for the security of the governments information or cyber assets - not all Cyber Security Events will be classified as Cyber Security Incidents. The Office of the CIO Watch Desk will make an assessment at the time of an Event being reported. Figure 2 - Incidents make up only a small proportion of Cyber Security Events. Cyber Security Events Cyber Security Incidents The reporting agency will aid in the assessment process to determine whether the Event constitutes a Cyber Security Incident. If it is assessed as an Event then nothing further will be required of the agency, however, if it is determined that an Incident then additional follow up activities will be required (refer Figure 4 below for full workflow). Figure 3 - Relationship of objects in the Cyber Security Incident chain Threat Causes Unwanted or unexpected action Exploits Vulnerability Occurrence of Cyber Security Event Exposes Assessed as Cyber Security Incident Implications on information security Government Information Asset Diagram adapted from ISO/IEC 27035: Information Technology - Security techniques - Information security incident management Page 3 of 10

4 What should or should not be reported? Not all unwanted or unexpected actions are going to result in the occurrence of a Cyber Security Event nor are they going to of interest for reporting or recording purposes. The following is examples of the types of occurences that the Office of the CIO Watch Desk is less likely to be interested in: Table 1 - Examples of what does not need to be reported Non-ongoing malware or virus activity on a standard user device that is easily remediated. (e.g. single case of a user device with a virus that is automatically detected, and cleaned by the existing controls). Short term outages on non-critical services. (e.g. non business critical machine has an unplanned outage which is easily recovered from within recovery time objectives). Single cases of standard spam s without any malicious links or attachments. (e.g. marketing or advertisement spam, or nigerian scams without any malicious links or attachments). Normal background activity detected in logs. (e.g. standard, regular activity seen in log managers or SIEM systems). Users breaching agency specific policies or guidelines for appropriate usage of government internet. (e.g. single user browsing inappropriate, but not illegal or malicious, websites during work time). Unexploited vulnerability in non critical information systems, services or networks. (e.g. unpatched vulnerabilities of desktop machines which have not been exploited). The following are examples of the types of occurences that the Office of the CIO Watch Desk is interested in and should be reported. Table 2 - Examples of what should be reported Suspicious or seemingly targeted s with attachments or links. Compromise or corruption of official information. Data breaches. Theft or loss of electronic devices that have processed or stored government information. Intentional or accidental introduction of malware or potentially unwanted programs to a network. Denial of service attacks. Suspicious or unauthorised network activity. Reduced capcity or failure of government systems, services or networks. Web or online presence defacement or compromise If in doubt, report it. It is better to over report than under report. The above examples are not a complete list but can be used as a guide for the types of things that should, or should not, be reported. Consideration should also be given to whether any occurrence may be part of a wider incident, whether it may impact on essential or important services, or whether the findings within one agency may assist another. If in doubt, report it. It is better to over report than under report. Page 4 of 10

5 Figure 4 Cyber Security Incident Reporting Scheme Workflow diagram Detection may come from: Agency ITSA Performing Supplier CSOC AusCERT SAPOL/AFP CERT Australia OCIO Watch Desk Monitoring Inform Office of the CIO (phone, ) No Cyber Security Event Detected Office of the CIO aware? Yes Agency internal Event and Incident management processes occur Office of the CIO performs initial Information Collection and Assessment with agency Process Closed. Office of the CIO note information and agency continue to follow their own internal processes. No Possible cyber security incident? Yes Office of the CIO performs further analysis and assessment with agency and relevant parties No Confirmed cyber security incident? Yes Agency will be required so submit post incident review documentation to Office of CIO for noting Office of the CIO performs incident categorisation and classification Office of CIO supports agency response as required No Whole of Government incident coordination required? Yes Office of the CIO take control of the incident response as per ICT Support Plan. Incident Closed. Process ends. Debriefing and review activities will depend on severity and type of incident as per existing documentation Page 5 of 10

6 When, Where and How should events and incidents be reported? The reporting process is intended to be simple and the Office of the CIO will work with agencies to make sure it is easy and useful for all stakeholders. When: Cyber Security Events and Incidents should be reported immediately. o The timing of incident reporting is vital to the response process and as such Cyber Security Events and Incidents should be reported to the Office of the CIO immediately. In many cases this may result in incomplete and potentially inaccurate information; however the risk posed by early reporting is outweighed by the advantage gained from early action. Where: The Office of the CIO Watch Desk is the contact point for Cyber Security Event and Incident Reporting. The Watch Desk may be contacted via the following means: Phone (Business Hours): (08) (Business Hours): WatchDesk@sa.gov.au Watch Desk Duty Officer (Emergency/Out of Hours number): (08) How: Reports should initially be made via phone or to the details listed above. In the case of a Cyber Security Event then there will be no further formal action required of the agency. If it is deteremined that a Cyber Security Incident has occurred then agencies will be asked to complete an Incident Report Form (see Annex A) and there will also be a request to submit a Post Incident Review (see Annex B) once the incident has been closed. not all Cyber Security Events will be classified as Cyber Security Incidents. Who from my agency is responsible for reporting? Each agency will already have their own internal incident management processes which are likely to determine who handles the operational information regarding Cyber Security Events and Incidents. This person may or may not be the agency ITSA. Because of this, initial reports of Cyber Security Events or potential Incidents may be received from whomever an agency considers appropriate to do so (e.g. ICT Security Analysts, Service Desk staff etc). The moment an Event is considered an Incident there is an expectation the ITSA will be involved. The Office of the CIO will not, however, accept a Cyber Security Incident Report that has not been reviewed by the ITSA. Additional Considerations Illegal Activity: Incidents involving illegal activity must be reported to SA Police in addition to the Office of the CIO. The Office of the CIO will report illegal activity to the SA Police if the agency does not. Reports to Cyber Security Operations Centre (CSOC) or the Australian Signals Directorate: The Office of the CIO is the single point of contact for the CSOC and Australian Signals Directorate in regards to cyber security incidents. Post Incident Reports: Post incident reporting is an important part of the incident management process. Post incident reports provide opportunities to improve technical security measures, response processes and government policy. An incident cannot be closed by the Office of the CIO until a Post Incident Report has been submitted. The Post Incident Report Form (Annex C) should be submitted within 30 days of the incident response process being completed. Page 6 of 10

7 ANNEX A: INCIDENT CATEGORIES These incident categories are used by the Office of the CIO Watch Desk for categorisation and reporting purposes. Term Phishing or Social Engineering Spear Phishing Theft/loss of assets Unauthorised access to information/systems Unauthorised release of or disclosure of information Malware infections Intrusions against networks Abuse of privileges Unauthorised changes to information, applications, systems or hardware Violation of information security policy Suspicious system behaviour or failure (hardware/software) or communications) Password confidentiality Sabotage/physical damage Other events Description Attempts to acquire information such as usernames, passwords or other sensitive using social engineering or technical subterfuge. Phising or social engineering attempts that are specifically targeted against an individual or groups.these attempts make use of specific details which are unique to those being targeted. in order to increase their probability of success. The theft or loss of any information or technology asset/device (including portable and fixed media) that might have been or has been used to either process or store government information. Unauthorised access from internal and external sources to Government information and systems. Unauthorised release or disclosure of Government information to an unknown environment. Software programs designed to cause damage to Government systems. Intrusions specifically targeting Government internal infrastructure. This includes but is not limited to: denial-of-service (DoS)/distributed denial-of-service (DDoS) website defacements brute force attempts. Intrusion that cannot be attributed, after analysis, to what is considered consistent with Internet noise. For example intrusion attempts that consistently target internal network infrastructure, users or services provided for external use such as web applications. Changes to privilege use settings on stand-alone or networked equipment including network profiles, local user or device configuration files that have not been approved through the agency s change management process. Any unauthorised changes to an organisation s file system, including media, through insertion, modification or deletion. For example, changes to standard operating environments (SOEs), addition of executables or the modification of an executable s configuration. Any unauthorised installation of additional processing, communications or storage equipment into the IT network. This includes but is not limited to:modems, portable games units, smart phones, PDAs or wireless access points. Any violation of information security policy or the information security related aspects of the code of conduct. Unknown network activities affecting/degrading network performance with increased network bandwidth usage and decreased response time, using excessive CPU, increased suspicious network requests or increased Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) alerts leading to application crashes. Includes a malfunction within the electronic circuits, electromechanical components of a computer/communications system, or malfunction/inability of a program to continue processing due to erroneous logic. Sharing/stealing/loss of passwords or other authentication token. Any damage or destruction of physical information or electronic devices. Natural events and other events which result in damage to information and systems. This includes but is not limited to fire, flood, excessive heat, storms, biological agents, toxic dispersion, riots, power outages. Page 7 of 10

8 ANNEX B: CYBER SECURITY INCIDENT REPORT FORM This form is only required for those occurences that are deemed to be a Cyber Security Incident. This form may be submitted at any stage of completion. Name Phone Agency Brief Description Date & Time of Incident: Incident Status Incident Resolved Incident Ongoing Unknown Incident Impact Is this incident affecting State Government Critical ICT Infrastructure (SGCII)? Yes No How do you rate the impact of this incident on your agency? (this may be an informal rating based on currently known information) High Medium Low Reporting & Assistance Has this incident been reported to any other agencies or organisations (SAPOL, Suppliers etc?). If so please list: Do you require any assistance responding to this incident at this time? If so please specify Report Submission WatchDesk@sa.gov.au (business hours) Phone: (08) (business hours) If you require immediate assistance out of hours please contact the duty Watch Desk Officer on (08)

9 ANNEX C: POST INCIDENT REPORT FORM An incident cannot be closed by the Office of the CIO until a Post Incident Report has been submitted. Please include all additional documentation Reference Number (if provided) Incident Title/Description Date(s) of Incident: Incident Outcome Provide a short description of the incident outcome (resolutions, workarounds, findings, recommendations). Attachments List any attachments (e.g. Copies of internal post incident reports, log files, etc). Post Incident Report Submission This form should be submitted within 30 days of the incident response process being completed. WatchDesk@sa.gov.au (business hours) Mail: OCIO Watch Desk (Security & Risk Assurance) GPO Box 1484 Adelaide SA 5001 DX: 142

10 REFERENCES, LINKS & ADDITIONAL INFORMATION PC030 Government of South Australia Protective Security Management Framework [PSMF] OCIO/F4.1 Government of South Australia Information Security Management Framework [ISMF] OCIO/S4.5 ISMF Standard 140 Notifiable Incidents: Across Government Incident Reporting Scheme ISO/IEC 27035:2011 Information technology - Security techniques - Information security incident management ICT Support Plan State Emergency Management Plan This guideline does not aim to provide the reader with all of the responsibilities and obligations associated with Cyber Security Incident Reporting. It is highly recommended that agencies review all related documents in their entirety. The individual requirements of agencies will have direct bearing on what measures are implemented to mitigate identified risk(s). ID OCIO_G4.12a Classification/DLM PUBLIC-I2-A1 Issued February 2014 Authority Security & Risk Steering Committee Master document location Q:\SecurityRiskAssurance\Emergency Management\Control Agency ICT\Cyber Security Specific Incident Plan Records management 2013/07301/ Managed & maintained by Office of the Chief Information Officer Author Will Luker Analyst, Security & Risk Assurance Reviewer Sarah Mason CISM CRISC Principal Risk Adviser, Security & Risk Assurance Compliance Mandatory Review date February 2015 To attribute this material, cite the Office of the Chief Information Officer, Government of South Australia, ISMF Guideline 12a. This work is licensed under a Creative Commons Attribution 3.0 Australia Licence Copyright South Australian Government, Disclaimer