ASD CYBER SECURITY BULLETIN

Transcription

1 ASD CYBER SECURITY BULLETIN Prevention is better than a Cure While I was enjoying my leave on a Queensland beach, it seemed that every time I picked up a newspaper or caught up on happenings online, there was coverage of a major compromise of personally identifiable information due to malicious cyber activity. These types of security breaches can not only result in loss of revenue, but a loss of trust among consumers, partners and suppliers, as well as damage to an organisation s reputation for years to come. The financial costs of a serious compromise can far outweigh any cyber security budget. With the move to bring more government services online, the need to secure personally identifiable information has never been more important. As organisations grapple with combating the expanding sophistication of malicious cyber activities, delivering resilience and adaptability is a challenge for many. Reflecting back on 2013, ASD s Top 4 mitigation strategies have continued to prove their effectiveness as the best option for your agency in mitigating targeted cyber intrusions, based on the incidents that the Cyber Security Operations Centre responds to. Issue #13 June 2014 achieved gradually, firstly on workstations of users who are most likely to be targeted by cyber intrusions, and then implementing them on all workstations and servers. Once this is achieved, organisations can selectively implement additional mitigation strategies to address security gaps until an acceptable level of residual risk is reached. Of course, not all networks are the same - but to help in ensuring that networks have strong, consistent and effective defences, ASD publishes a range of technical advisories for different audiences. The recent release of the ASD Protect The Top 4 in a Linux Environment is an excellent example of how ASD recognises the practicalities of implementing the mitigation strategies across different operating environments, and offers effective advice without compromising on security or offering a lite solution will be a big year for cyber security in Australia with the Australian Cyber Security Centre set to become operational by the end of the year. My staff and I look forward to partnering with you as we work together to defeat the cyber threat. I have recently been asked whether there is a softened, lite version of the Top 4. The simple answer to this is that there is no Diet Top 4. Based on ASD s technical and operational experience in cyber security, the Top 4 remain the most effective bang for buck defence when implemented as a package. This has been supported by research from Microsoft and the United States SANS Institute, which has published a revised version of the 20 Critical Controls following the release of ASD s updated 2014 Strategies to Mitigate Targeted Cyber Intrusions. Like all aspects of security, there is a cost - but agencies need to weigh up the risks and address their own security culture. The Top 4 should form an integral part of every agency s cyber security foundation. Implementing the Top 4 mitigation strategies can be Joe Franzi is the Assistant Secretary for Cyber Security at the Australian Signals Directorate. Inside this issue Prevention is better than a Cure...1 Days of Systems Past...2 Harder, Better, Stronger...3 Watch that Webmail...4 The Top 4 for Penguins...5 Issue #13 June 2014 Page 1

2 Days of Systems Past You know that when a product vendor wants you to stop using a version of their product, it s time to get out. On Tuesday 8 April 2014, support ended for Windows XP SP3 and Office ASD ranks application patching and operating system patching as the second and third most effective strategies to mitigate targeted cyber intrusions, as listed in ASD s Strategies to Mitigate Targeted Cyber Intrusions. These two patching strategies recommend using the latest versions of software, such as Microsoft Office, and operating systems, including timely patching for vulnerabilities. When a developer ceases to provide support for a product, updates and patches to address critical vulnerabilities are no longer made available. When new vulnerabilities are discovered, they can be easily exploited due to the lack of software support. After 8 April 2014, Microsoft will not be providing updates, security patches or technical support for Windows XP, Office 2003, Windows Server 2003, Exchange 2003 and Sharepoint It is recommended that any organisation still using any of these products should upgrade to supported software as soon as practically possible. Some Australian Government agencies will have been unable to fully migrate away from Windows XP prior to its end of support date. ASD has published guidance to OnSecure on mitigations and minimising the risk for XP. So while XP has served a lot of organisations well, it s time is now over and agencies need to upgrade sooner rather than later. Further Guidance ASD message and advice on minimising risk for end of support for XP: Advice from Microsoft on the end of support for XP: Issue #13 June 2014 Page 2

3 Harder, Better, Stronger Passwords. We all have them. Lots of them. Passphrases are common authentication techniques which enable an agency to verify the stated identity of a user. However, given the everincreasing processing power of home computers, the length and complexity requirements for passphrases will also continue to increase. This is necessary to provide agencies with adequate protection against basic techniques such as brute force attacks. A brute force attack involves the attacker systematically checking every possible passphrase until the correct one is found. A simple six-letter password can be brute forced in minutes by software freely available on the internet. The requirements for passphrase length and complexity have been increased in the current version of the Australian Government Information Security Manual (ISM), released in March What can be done? Continually increasing the length and complexity requirements for your system users can be cumbersome. Users tend to have difficulty remembering long, complex passphrases without writing them down. Agencies can consider implementing additional authentication measures, such as multi-factor authentication. This decreases the reliance on long, complex passphrases. Multi-factor authentication means choosing two or more of the following authentication methods: y something one knows, such as a passphrase or response to a challenge or question y something one has, such as a passport, physical token or identity card y something one is, such as biometric data, like a fingerprint or face geometry. The theft of user credentials can make breaking into the most well defended networks a walk in the park. Strengthening agency passphrase policy is critical to ensuring your agency is a hard target for malicious intruders. The ISM is available from the ASD website. Issue #13 June 2014 Page 3

4 Watch that Webmail Web-based , or webmail, is a convenient way to communicate from anywhere, at any time. Webmail is that is accessed through a web browser such as Windows Live Mail, Gmail, Yahoo or provided by Internet Service Providers. However, government agencies using webmail for business purposes should be aware of the security risks of this approach. Government agencies have their own security measures for handling and other sensitive communications. Employees using a webmail account for sensitive business information will not have these same protections for their communications. This increases the risk of unauthorised disclosure and in some cases, this may even breach legislative requirements. It is also important to note that agencies may not have full control over your data when using a webmail service. Service providers are subject to the laws and regulations of the country where they are based. This may involve a number of countries, depending on where the data is stored and processed and where it transits. Foreign governments may have the right to lawfully access the data held by the webmail service without user knowledge. It may also be difficult to sanitise or clean up data spills in the case of a data leak. ASD has seen malicious s that have been sent to government agencies also forwarded onto users personal webmail accounts, which can lead to the compromise of the device used to access the webmail such as a personal mobile phone or tablet. In some cases, the device may already be compromised (for example, if you are using a public terminal or a device running outdated and vulnerable software.) If you and your colleagues become accustomed to seeing webmail used for business, there is the danger that it will be more difficult to detect the commonly used intrusion technique of spoofing. This is where a webmail account is set up to appear as if it is a legitimate user, to trick the receiver into opening the and clicking on a malicious link or attachment. If your agency does allow webmail use, it is recommended that you: use your agency s service rather than webmail when accessing from your work network maintain separate accounts for work and personal purposes send only publicly available, unclassified government information over webmail never send sensitive or classified information ensure that your webmail software is up to date with anti-virus installed use a strong and unique password or multi-factor authentication to enhance the security of your account. More information is available at the ASD website in the Protect publication Implications of Using Webmail for Government Business. Issue #13 June 2014 Page 4

5 4 p o T e h 4 Top The T for Penguins s n i u g n e P r fo In today s environment, most organisation workstations use Microsoft Windows or Linux operating systems (or a combination of both). Implementation of the Top 4 in a Linux environment presents different challenges to a Windows operating system, particularly application whitelisting. ASD has released a new document to assist organisations in implementing the Top 4 on Linux. This advice complements ASD s previously published guidance document Implementing the Top 4 in a Windows Environment. continued on page 6 Issue #13 June 2014 Page 5

6 The Top 4 for Penguins Application whitelisting on Linux can be very difficult to implement due to the high amount of resources required for development and maintenance. While administrators can use the AppLocker or Software Restriction Policies on Windows-based workstations, equivalent mechanisms are not present in either the core Linux kernel or other popular Linux distributions. However, this does not mean that it can t be done. ASD is focussed on technical solutions that are achievable, effective and practical in the government environment. As a result, ASD s The Top 4 in a Linux Environment provides not only guidance on how to implement application whitelisting on Linux, but also technical advice on how to harden a Linux machine without it, while still ensuring a comparable level of security to a Top 4-hardened Windows machine. These include commercial solutions, SELinux or AppArmour policies, and the use of custom Linux security modules. The document also provides technical guidance on patching applications, patching the operating system and restricting the number of users with administrative privileges on Linux. The Top 4 in a Linux Environment is available on ASD s website asd.gov.au with a suite of publications designed to assist in implementation of the Top 4 strategies. The Top 4 Strategies to Mitigate Targeted Cyber Intrusions has been shown to prevent at least 85% of cyber intrusion techniques when implemented as a package. These strategies are based on those intrusion techniques which target the workstation. The Top 4 strategies are: 1. Application whitelisting 2. Patching applications 3. Patching operating systems 4. Restricting administrator privileges ASD Contact Details For non-urgent and general ICT security enquiries: asd.assist@defence.gov.au For urgent and operational government ICT security matters: Phone: 1300 CYBER1 ( , select 1 at any time, or Complete the cyber security incident report form at Issue #13 June 2014 Page 6