Information security management guidelines

Transcription

1 Information security management guidelines Agency cyber security responsibilities when transacting online with the public Version 2.1 Approved July 2014 Amended April 2015

2 Commonwealth of Australia 2013 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia ( ) licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3.0 AU licence ( ). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour ( website. Contact us Inquiries regarding the licence and any use of this document are welcome at: Business Law Branch Attorney-General s Department 3-5 National Cct BARTON ACT 2600 Telephone: (02) copyright@ag.gov.au Document details Security classification Unclassified Dissemination limiting marking None Date of security classification review Not applicable Authority The Attorney-General Author AGD Document status Approved July 2014 i

3 Contents Purpose... 1 Scope... 1 Background... 1 Action required... 2 Further information... 2 Potential threat sources to the public when transacting with Australian Government agencies... 3 Suggested actions to reduce the risk of harm to the public transacting online with Australian Government agencies... 4 Unauthorised use of public online services by commercial or other third party organisations... 7 Suggested actions to reduce unauthorised use of public online services by commercial or other third party organisations... 8 Administrative... 8 Technical... 8 Notification... 9 Model website terms and conditions Model Cease and Desist letters Letter 1 Initial Letter Letter 2 Follow Up Letter ii

4 Amendments No. Date Location Details 1 April 2015 Throughout Update links 2 April 2015 Throughout Insert paragraph numbers iii

5 Purpose 1. This guideline aims to assist agencies to understand and address their responsibility to minimise the risk of harm to the public when transacting online with the Australian Government. It will also help agencies assess and mitigate the risks attached to unauthorised activity on their websites which might, for example, involve unauthorised use of their data holdings. The guideline will also assist agencies to apply the Australian Government s Cyber Security Strategy within their agency and provides national leadership by adopting best practice models. Scope 2. The scope of this advice includes: The public and business (including all non-commonwealth Government external parties) 1 All Australian Government online services delivered through websites or web services protocols Transactions conducted or facilitated by external parties that either wholly or partially support Australian Government service activities 2 The public that indirectly access Australian Government service activities through non- Commonwealth Government intermediary parties, and Public access to all Australian Government online services hosted by government or service providers. 3. The scope of advice does not include risks specific to: , and Removable media used to facilitate online transactions. Background 4. The Australian Government is committed to maintaining a safe, secure, resilient and trusted online environment that supports Australia s national security and maximises the benefits of the digital economy. 5. Online services offer the public a convenient, efficient and accessible means to access government services. However, as the demand for online government services continue to grow, so too does the scale, sophistication and perpetration of cybercrime and activities by either malicious or benign actors. This will entail risk both to the public using the online service and the agency offering it. 6. The Australian Government recognises these threats and identifies cyber security as one of its top tier national security priorities. As Australia continues to experience an increase in cyber activities, it is essential for Australian Government agencies to continue to actively consider the risks to public users of Government online services as well as the risks that agencies are exposed to when operating such services. 1 For the sake of brevity, the term public used throughout this guideline also encompasses business. 2 Service activities include, but are not limited to, programs, initiatives, grants policy design etc. 1

6 Action required 7. Agencies should adopt mitigation strategies to avoid unnecessarily exposing the public to cyber security risks when they transact online with government. Agencies should also note the possibility that online service portals may be used by commercial or other third party organisations, on an unauthorised basis, to access or verify government records. This practice involves a range of potential privacy, security and fraud related risks to the individuals and agencies concerned and imposes costs on agencies associated with managing unauthorised online transactions. 8. Agencies are therefore required to assess these risks and develop appropriate risk mitigations. As a starting point, agencies should evaluate the threat scenarios identified in Annex A and Annex B in their risk assessment and adopt applicable security controls for online services provided. In order to inform this assessment, agencies should consult with the public and consider their own legislative requirements. Agencies should also consider using the mitigation strategy examples at Annexes A and B when developing their risk management plan. 9. In this context, Australian Government agencies are required to apply sound security risk management practices in accordance with the Australian Standards ISO/AS/NZS 31000:2009 Risk Management Principles and guidelines and HB 167/2006 Security Risk Management. The Protective Security Policy Framework (GOV-6) mandates this requirement. 10. These should be read in conjunction with the Protective Security Policy Framework and the Information Security Manual under which these Guidelines sit. 11. This guideline will be reviewed by 2017 to ensure relevance and application to Government online services. Further information 12. Agency business areas that provide online services should seek to maintain an in-house IT security capability that works closely with the agency IT Security Advisor (ITSA). The first point of contact for an agency to seek advice is the ITSA. Each ITSA is expected to maintain awareness of cyber security policy and the threat environment. 13. Additional information on this guideline and the Australian Government Cyber Security Policy should be directed to: Protective Security Policy Section Attorney-General s Department 3-5 National Circuit BARTON ACT pspf@ag.gov.au Information Security Operations Branch Australian Signals Directorate PO BOX 5076 KINGSTON ACT asd.assist@defence.gov.au 2

7 Potential threat sources to the public when transacting with Australian Government agencies Annex A 14. As online services and transaction portals continue to evolve, agencies should evaluate the following threat scenarios: An attacker masquerades as a legitimate agency website to compromise a public user s internet connected device, to steal their identity or to scam them into providing financial details (including credit card details). An agency website is compromised and used to host malicious software which subsequently compromises an internet connected device used by the public when they access the website. An agency website is compromised and used to redirect public users transacting with the website to another malicious website that subsequently compromises their internet connected device. A compromised agency website could result in public users username/password details being stolen and an attacker masquerading as the user to claim government or other financial benefits. The compromised account details of public users could lead to the compromise of other websites, as public users may use the same details for multiple government online accounts. The compromise of an internet connected device used by the public could result: - in their addition to a botnet to participate in illegal activities - in the theft of details for fraud or identity theft purposes - in the blackmail of the user (where attackers encrypt hard drives and demand money for a decryption key), and - in the corruption of the internet connected device and loss of user information. A pattern of online requests for personal information that is unusual and not routine. 3

8 Suggested actions to reduce the risk of harm to the public transacting online with Australian Government agencies 15. In conjunction with their risk assessment, agencies should evaluate the following actions to reduce the risk of harm to users transacting with government: Where online transaction accounts are in use: - agencies should require users to accept Account Terms and Conditions prior to establishing an account and when the Terms and Conditions change these Account Terms and Conditions should contain a warning that explains (in simple terms): the specific risks associated with the use of the online service who may, or may not, use the service and under what circumstances, and provide details of alternate channels for service and/or support. - a query button should be linked to an agency s Privacy Policy page to provide further information to public users on the conditions of acceptance, and - agencies should not implement transaction processes that put the user at risk of unnecessary harm, for example by requiring the public user to lower or reduce their security protection measures. When a public user elects to download any non-public information from an agency website: - an appropriate pre-download warning identifying the potential risk should be in place for example, Warning: you are about to download information across an unsecured connection. - warning options Proceed, Cancel or? should be provided, and - agencies should also provide links to additional information on associated risks, for example, by including hover information over the question or query mark noted above. All Australian Government websites should: - ensure website statements include a Security Notice and a Disclaimer Notice. Agencies should evaluate using the Australia.gov.au website as a template for these notices in consultation with an agency s legal area. For example, agencies should advise the public to report any suspicious or unauthorised activity related to an online transaction to the responsible agency, and - include a link to government cyber advice: Protecting Yourself Online What Everyone Needs to Know: CyberSmart - Cyber Safety for kids, teens, parents, libraries, schools Stay Smart Online - Cyber Security for Australian internet users 4

9 SCAMWatch online information on avoiding and reporting scams CERT Australia - Australia s national computer emergency response team The Australian Government Cyber Security Strategy The Australian Federal Police Patches for online services (including the maintenance of information-only web pages) and associated web-servers should be actioned as a level 1 priority by the agency s IT support. Delays in patching may create cyber security vulnerabilities for public users. Online transactions that transfer personal details to the government should be done over a secure connection and only transfer required specific details. Agencies should only collect information from users necessary for the delivery of a service. Agencies that use social networking services to interact with the public should: - carefully evaluate privacy and security implications when collecting and retaining personal information as part of a service, and/or - monitor social networks for possible malicious hyper-links embedded in posts where those posts are not directly moderated by that agency before publishing. Where appropriate and reasonable, agencies may offer or impose higher level security credentials such as one-time passwords, digital certificates or tokens. Agencies should impose restrictions on or warnings about particular browser versions that are known to have security weaknesses or are out of date and/or unsupported. Agencies should analyse patterns of online user interactions for unusual activity that could indicate a security compromise. Agencies should notify users about unusual or higher risk online activity on their account. Agencies should display the previous login time and date when a user next logs in. If an agency is implementing a high value or high risk transaction, it may wish to consider sending a follow-up to the user notifying them that their account has been accessed with details of the associated Internet Protocol (IP) address. Agencies should profile user access devices to detect unusual access vectors that could suggest a security compromise. Agency s should carry clear messages about what agencies won t require users to do on the basis of an , for example, requesting the user to provide sensitive personal information such as logon credentials. Agencies should also consider providing advice, or links to, cyber security and cyber safety information. Agencies should implement a password policy to help users select a secure password. 5

10 Agencies should perform a code audit of any web application used on the agency's web site, to ensure there are no security vulnerabilities that could be exploited. Agencies should alert users when they are being redirected to an external website, i.e. third party websites including other government agencies or private sector organisations. 16. In addition to the measures listed above, agencies are to adhere to the current Australian Government Information Security Manual advice on hardening of web servers and web applications. 6

11 Annex B Unauthorised use of public online services by commercial or other third party organisations 17. As online services and transaction portals continue to evolve, agencies should evaluate the risk of these services being used by commercial or other third party organisations, on an unauthorised basis, for identity verification purposes ( screen-scraping ). 18. Such unauthorised use could take the form of: An external party re-engineering legitimate transactions conducted through an online service as a way of confirming or validating information held by an agency. This could include a client s personal information or unique identifier (i.e. an account reference or credential number), or An external party seeking public users to provide personal information to verify their identity, and then using those details to gain access to further personal or sensitive information contained in their online account. Indications that such unauthorised use of online services is occurring may include: Login processes that might allow personal or sensitive information to be disclosed or inferred An unusual pattern of online requests for services using personal information, such as Requests for services using personal information for multiple persons that originate from the same source(s), or Third party identity services claiming to utilise an agency s databases for identity proofing or verification purposes, without an agreement to do so. 7

12 Suggested actions to reduce unauthorised use of public online services by commercial or other third party organisations 19. In conjunction with their risk assessment, agencies should consider the following actions to reduce the risks to users, their agency and government associated with the unauthorised use of online services by commercial or other third party organisations for identity verification purposes ( screen-scraping ): Administrative Where online transaction accounts are in use: - Agencies should require users to accept Account Terms and Conditions prior to establishing an account and when the Terms and Conditions change. These Account Terms and Conditions should contain a warning that explains (in simple terms): the specific risks associated with the use of the online service who may, or may not, use the service and under what circumstances, and provide details of alternate channels for service and/or support. - A query button should be linked to an agency s Privacy Policy page to provide further information to public users on the conditions of acceptance. (Model Account Terms and Conditions are provided in Attachment 1 of these Guidelines.) Technical Where appropriate and reasonable, agencies should implement technological measures to limit access to services by non-human entities. Examples of technological measures include: - Completely Automated Turing test to tell Computers and Humans Apart (CAPTCHA) - one time passwords - two factor authentication, or - secret questions and answers. Where appropriate and reasonable, agencies should implement technological measures to limit access to services by third-parties breaching Account Terms and Conditions. Examples of technological measures include: - Internet Protocol (IP) address blocking - preventing deep linking to a dynamic URL, including through the use of robot.txt files, or - blocking access to services by virtual machines or other mechanisms such as The Onion Router (TOR). 8

13 Where appropriate and reasonable, agencies should limit access to accounts where unusual or higher risk online activity has been detected. Where appropriate and reasonable, agencies should display the previous login time, date and location when a user next logs in. If an agency is implementing a high value or high risk transaction, it may send a follow-up to the user notifying them that their account has been accessed with details of the associated IP address. Where appropriate and reasonable, agencies should analyse patterns of online user interactions for unusual activity that could indicate a security compromise. Where appropriate and reasonable, agencies should profile user access devices to detect unusual access vectors that could suggest a security compromise. Where appropriate and reasonable agencies should keep a log of all accesses to its online services, and where appropriate, website, including time, date, IP address, useragent and username of the account accessing the service. Notification If the administrative and technical above measures are not sufficient to reduce the unauthorised use of online services, agencies should notify the organisations concerned to formally request that they cease and desist from this practice. - It is recommended agencies seek legal advice before notifying the organisations concerned. (Sample cease and desist letters are provided in Attachment 2 of these Guidelines.) If formal notification is not sufficient to reduce the unauthorised use of online services, agencies may consider other legal avenues. (Further information on this issue can be sought from the Attorney-General s Department.) 9

14 Attachment 1 Model website terms and conditions You may only use this website if you agree to the following conditions of use. [For clickwrap insert I agree. For browse-wrap, insert If you choose to proceed with using this website, you will be taken to agree to be legally bound by these conditions.] You will use this website solely for your own personal use for the purpose of [agencies to insert purpose of website, e.g., renewing your Australian passport ], and not for any other purpose, including for any direct or indirect access or use by any third party. Details on this website may only be accessed through this homepage, and only using the user name and authentication details which have been specifically allocated to you. You will not permit any other person to use your user name and authentication details to access this website. The use of any software (e.g., bots, scraper tools) or other automatic devices to access, monitor or copy the website pages or their contents is prohibited unless expressly authorised by [the agency] in writing. 10

15 Attachment 2 Model Cease and Desist letters Letter 1 Initial Letter Dear [Insert name] Re: Cease and desist unauthorised activities I am writing to you regarding [COMPANY] s access to the [AGENCY NAME] [SERVICE NAME] web-based service portal. It has come to our attention that [COMPANY] has been accessing [THE SERVICE] to [REASONS FOR UNAUTHORISED USE]. This online facility has been developed for the purpose of providing [SERVICE DESCRIPTION] for the members of the public with whom we have a relationship. You may have noticed that [AGENCY] has posted specific terms and conditions regarding the use of that online facility. These set out that the Service is offered for personal use only and for the purpose of [PURPOSE FROM THE T&C]. Additionally, the terms and conditions also prohibit access by third parties for any reason, including access through automated means unless expressly agreed by [AGENCY], particularly as the accuracy of the data being accessed is not guaranteed. The [AGENCY] hopes that [COMPANY] appreciates that we do take these matters seriously and requests that [COMPANY], including any other party acting on your behalf or behest, takes all steps to discontinue this activity on our website. We would be happy to discuss this at your earliest convenience and suggest that [COMPANY] might consider other more conventional ways in which you can meet your business needs. For example, [COMPANY] might consider making use of the national Document Verification Service (DVS) which provides an official, authorised channel for verifying information contained on identity documents such as our own. Information on the DVS is available at For general information on how to comply with our terms and conditions, please contact [CONTACT NAME], [POSITION]. [NAME] can be contacted at [ ] or on [PHONE NUMBER]. Yours Sincerely, [NAME BLOCK] 11

16 Letter 2 Follow Up Letter Dear [Insert name] Re: Demand to cease and desist from unauthorised activities I am writing to you regarding [COMPANY] s continued use of the [AGENCY NAME] [SERVICE NAME] service (the Service). We previously wrote to you regarding this matter on [DATE] requesting that [COMPANY] take steps to discontinue the activity in question. As stated in that previous correspondence, this type of access to our web facilities is contrary to the terms and conditions we have posted regarding use of the Service. The terms and conditions set out that the Service is offered for personal use only and for the purpose of [PURPOSE FROM THE T&C]. Additionally, the terms and conditions also prohibit access by third parties for any reason, including access through autonomous means unless expressly agreed by [AGENCY]. The [AGENCY] respectfully requests that [COMPANY], including any other party acting on your behalf or behest, cease and desist from its continuing use of the Service. We would appreciate a response to this request by [WITHIN 21 DAYS] confirming that [COMPANY] agrees to act in accordance with this request. To further discuss how to comply with the terms and conditions please contact [CONTACT NAME], [POSITION]. [NAME] can be contacted at [ ] or on [PHONE NUMBER]. Yours Sincerely, [NAME BLOCK] 12