PRINCIPLES 2014 Australian Government Information Security Manual

2014
Australian Government
Information Security Manual
PRINCIPLES
2014
Australian Government
Information Security Manual
PRINCIPLES
© Commonwealth of Australia 2014
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia
licence. For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal
code for the CC BY 3.0 AU licence.
http://creativecommons.org/licenses/by/3.0/au/deed.en
http://creativecommons.org/licenses/by/3.0/legalcode
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the Department of the Prime Minister and
Cabinet’s website.
http://www.dpmc.gov.au/guidelines/index.cfm
Contact us
Inquiries regarding the licence and any use of this document are welcome at:
Australian Signals Directorate
PO Box 5076
Kingston ACT 2604
1300 CYBER1 (1300 292 371)
[email protected]
FOREWORD
Foreword
In recent years, the Australian Government has made great advances in bringing its business
online. The benefits of government information and communications technology (ICT) systems
and services becoming increasingly connected will continue as the government makes the
most of new technologies. However, this new, connected way of doing business also creates
opportunities for adversaries to gain an advantage by exploiting these technologies to access
information of national importance.
As our intrusion detection, response, mitigation and threat assessment capabilities continue to
improve, so too do the skills of cyber threat actors. This requires us to be vigilant, flexible and
proactive in our approach to cyber and information security.
A strong security is not a trivial process — it requires ongoing vigilance and resources. By
continually hardening our defences, we have a greater chance of protecting the information
entrusted to us.
The Australian Government Information Security Manual (ISM) comprises three complementary
documents designed to provide greater accessibility and understanding at all levels of
government. This Principles document details the guiding principles and rationale to assist
senior decision makers in developing informed risk–based information security policies within
their organisations.
I commend you on your agency’s efforts to strengthen your cyber and information security
and trust you’ll continue to keep security as an agency priority.
Dr Paul Taloni
Director
Australian Signals Directorate
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
iii

iv
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
CONTENTS
Contents
Forewordiii
INFORMATION SECURITY: COUNTERING THE THREAT 1
The Threat Environment
2
Countering the Cyber Threat
6
The Australian Government Information Security Manual
8
ASD’s Role
10
PRINCIPLES11
Information Security Risk Management
12
Roles and Responsibilities
14
Industry Engagement and Outsourcing
15
Information Security Documentation
17
System Accreditation
19
Information Security Monitoring
22
Cyber Security Incidents
24
Physical Security
27
Personnel Security
29
Communications Infrastructure
31
PSPF Mandatory Requirement INFOSEC 4 Explained
35
Product Security
37
Media Security
39
Software Security
42
Email Security
45
Access Control
47
Secure Administration
49
Cryptography50
Network Security
52
Cross Domain Security
55
Data Transfers and Content Filtering 56
Working Off–Site
57
SUPPORTING INFORMATION
61
Glossary of Terms
63
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
v
INFORMATION
SECURITY:
COUNTERING
THE THREAT
1
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Information Security: Countering
the Threat
The Threat Environment
DID
D I D YOU
YO U K N
NOW?
OW?
Advances in information and communications technology (ICT) are allowing for greater
accessibility, mobility, convenience, efficiency and productivity across almost all aspects of
Australian life. Australia’s national security, economic prosperity and social wellbeing now
depend on ICT, and the Internet in particular. The security of sensitive government and
commercial information, the security of our digital infrastructure, and public and international
confidence in Australia as a safe place to do business online are critical to our future.
In 2012 there
were 74,000
new unique
malicious web
domains.1
Because any Internet–connected device or computer system is
highly susceptible to malicious cyber activity, our dependence
on ICT also brings greater exposure to threats. The threat is
not limited to classified systems and information. A wide range
of institutions, both public and private, have been subjected to
malicious cyber activities.
Australia continues to be the target of persistent and sophisticated
cyber exploitation activity by malicious actors. The most prevalent
threat to Australian networks is cyber exploitation; that is, activity
by malicious actors to covertly collect information from ICT
systems. Australia is also threatened by the possibility of cyber
attack—offensive activity designed to deny, degrade, disrupt or
destroy information or ICT systems.1
Tools and Techniques
Malicious software (malware) is the main tool used to gain unauthorised access to computers,
steal information and disrupt or disable networks. Since malware—along with instructions
and guidance for its use—is readily available on the Internet, anyone with intent is able to
access the tools and information needed to undertake malicious cyber activity. Examples of
malware include trojans—programs which seem legitimate but provide malicious actors with a
backdoor into systems—as well as spyware, a general term for programs that covertly monitor
and collect information from a system. Information stolen can be used to craft targeted cyber
intrusions, create false identities, or even facilitate access into more valuable commercial or
government systems. Any computer compromised by malware has the potential to be invisibly
conscripted into networks of compromised Internet–connected computers, known as botnets.
Botnets are used to send spam, steal information, distribute malware and conduct attacks on a
larger scale.
1 Symantec Corporation, Internet Security Threat Report 2013, 2013.
2
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
DID
D I D YOU
YO U K N
NOW?
OW?
A commonly used technique to spread malware is social
engineering, in which malicious emails are tailored to
entice the reader to open them. Unsuspecting users may
Healthcare,
be tempted to open malicious email attachments or follow
education and
embedded links to malicious websites—either action could
government
lead to a compromise. These campaigns are becoming
accounted for
increasingly tailored and credible. Malicious emails often
nearly two–thirds
appear to be from someone the reader knows, such as their
employer, colleague or friend. Some even have convincing–
of all identities
looking commercial logos and signatures and target a
2
breached in 2012.
specific personal interest or a subject matter relevant to
their work. Malicious websites can be equally convincing.
They can masquerade as a legitimate site used by an
individual, such as their personal banking website, in order to mislead them into revealing
personal information.2
Actors
The Australian Signals Directorate (ASD), through the Cyber Security Operations Centre
(CSOC), communicates key assessments to government regarding the actors and trends
observed in the Australian cyber threat environment.
Users
DID
D I D YOU
YO U K N
NOW?
OW?
Cyber exploitation and cyber crime are unintentionally enabled by everyday users at home,
at work or on mobile computing devices. Many users still assume that responsibility for
information security rests with the organisations with which they interact, such as banks
and online retailers. However, even the best technical security measures can be defeated
by inappropriate user behaviour. Some users, in particular individuals and small businesses,
are more vulnerable due to a general lack of awareness of cyber threats and relatively low
resources devoted to information security.
In 2012, more
than 80% of the
threats observed
by Sophos were
redirects, mostly
from legitimate
sites that had
been hacked.3
Users are targets in themselves for cyber crimes such as
fraud and identity theft. When compromised, users can also
become unintentional enablers of malicious cyber activity.
The increasingly interconnected nature of our private, public
and work ICT means that malware accidentally downloaded
on one system can quickly lead to the infection of other
devices across different environments. Inadvertently visiting
the wrong website or opening the wrong email attachment
can have wider consequences, including the conscription of
the device into a botnet—which can then be used to facilitate
large–scale cyber crime or cyber attacks—or establish an
access point into a connected personal, commercial or
government system.3
2 Symantec Corporation, Internet Security Threat Report 2013, 2013.
3Sophos, Security Threat Report 2013, 2013.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
3
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Malicious Actors
DID
D I D YOU
YO U K N
NOW?
OW?
Australia is an attractive target for cyber exploitation due
to its prominent role in the Asia–Pacific region and major
international organisations, and its strong diplomatic,
defence and intelligence relationship with the United States.
Australia’s wealth, resource industries and niche expertise
in some research and development fields also motivate
actors to target Australia. Information collected through
cyber exploitation could be used to gain a relative economic,
diplomatic or political advantage against Australia. It can
also be used to bridge a technological gap. By stealing, for
instance, intellectual property malicious actors are able to
access new technologies while circumventing costly and
lengthy research and development programs. Personal
information gathered, such as financial or medical records, could also be used to enable
malicious activities through techniques such as social engineering. 4
In the first half of
2013 the number
of new mobile
malicious software
samples detected
exceeded 30,000.
The vast majority
of this malware
targeted the
android platform.4
State–sponsored actors work on behalf of a foreign entity and are the most active
malicious adversaries ASD has observed. They are also the most sophisticated and best
resourced adversaries. State–sponsored actors seek national security information to identify
vulnerabilities in our capabilities or to gain a strategic advantage. However, malicious activity
often has an economic focus, with targeting of Australia’s commercial sectors (for example,
the resources, banking and telecommunications sectors) also prevalent.
DID
D I D YOU
YO U K N
NOW?
OW?
Issue–motivated groups often seek to disrupt and
embarrass governments, international organisations
The Australian
and multinational corporations in an expression of anti–
Competition
establishment protest. These groups typically undertake acts
and Consumer
in response to specific controversial events or incidents, or
Commission
to coincide with significant dates or major events. Loosely
reported a loss of
coordinated international hacker groups, such as Anonymous
$93 million as a
and LulzSec, have gained notoriety and demonstrated
result of scams, a
their intent and capability to conduct cyber attacks and
9% increase from
data theft against a wide variety of high‑profile targets,
2011.5
including Australian government agencies. Citing a range
of idealistic motivations, such as fighting for individual
freedoms, calling for government transparency and opposing
censorship, as well as simply for malicious ‘fun’, the groups often exploit common and
relatively unsophisticated techniques to achieve their aims. For the most part, these attacks
have been embarrassing and inconvenient; however, the disclosure of sensitive commercial
or government information can threaten national interests, for example through the loss of
consumer confidence in Australia’s digital economy.5
4 McAffee Labs, McAffee Threats Report: Second Quarter 2013, 2013.
5 Australian Competition Consumer Commission, Targeting Scams: Report of the ACCC on scam activity
in 2012, 2013.
4
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Cyber criminals are following legitimate businesses online to create new opportunities for
profit. The nature of the Internet—borderless, anonymous, easily accessible and holding high
volumes of financial, commercial and personal information—has boosted the incentives for
committing cyber crime and allowed its organisation to become more audacious, efficient
and effective.
A prolific and increasingly professional underground market of malicious cyber tools and
services exists on the Internet. This market includes the sale or hire of criminal malware and
botnets, guidance, recruitment and trading in stolen information such as credit card details
and intellectual property.
Criminals are becoming less content with simple, indiscriminate spam and fraud attempts, and
are developing sophisticated, customised malware that targets emerging technologies, social
media and mobile computing devices. The last few years have also seen a proliferation of
target–specific malware aimed at, for example, particular banks, types of ATMs and
financial exchanges.
Conclusion
The incentives for, and capability to conduct, malicious activity in cyberspace will be enhanced
by a combination of observed trends.
Motivation is increasing. Australia’s increasing reliance on the Internet is leading to
more high–value information being stored and communicated on Australian government and
commercial networks. This is boosting the incentive to undertake cyber crime or exploitation
for direct monetary profit or indirect economic and political advantage.
Capability is easier to acquire. Acquiring a cyber capability is becoming easier with
increasingly sophisticated tools, information, and guidance readily available online.
New technologies will generate new vulnerabilities. The proliferation of new
technologies will increase the number of potential vulnerabilities. Of note, the growth in cloud
computing and expanding use of mobile computing devices, such as smartphones, laptops
and tablet computers, will generate more platforms—with distinct software, settings and
applications—and more users to exploit.
The spectrum of malicious actors is expanding. The ease of acquiring a cyber capability
coupled with the potential high gains—whether financial, economic, diplomatic or political—is
enticing more actors into malicious cyber activity.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
5
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Countering the Cyber Threat
Malicious cyber activity will continue to challenge Australia’s national security, economic
prosperity and social wellbeing. As cyber threats become increasingly sophisticated and
targeted, cyber security incidents can have significant and direct impacts on organisations.
However, properly assessing the security risks specific to your organisation can help to
minimise your vulnerability to cyber threats.
Questions Senior Management Need to Consider
Are you confident that your networks are not currently compromised? Is the security culture of
your organisation a strength or a weakness? Here are five questions you should discuss with
your information security team to review your organisation’s security measures.
What would a serious cyber security incident cost our organisation?
Good information security is like an insurance policy. Good security can avoid direct
costs of clean–up and also indirect costs such as downtime, lost productivity and loss
of reputation and confidence in your organisation. If customer records, financial data or
intellectual property were stolen, could you quickly and accurately determine what was lost?
What if you had to take a system offline to conduct a forensic or legal investigation?
Who would benefit from having access to our information?
Your information is valuable. There are many state and non–state actors who would
benefit from having access to your agency’s information. Identify critical information, the
confidentiality, integrity and the availability of which is essential to the ongoing function of
your organisation. It is important to consider the aggregated value of your information, not
only the value of individual records. Every organisation faces different threats and security
risks, and needs to deal with them in different ways.
What makes us secure against threats?
Security is an ongoing process, not a product. As cyber intrusions become more
sophisticated and targeted, so do information security techniques and processes. To secure
your organisation against threats, make sure appropriate security governance, clearly defined
policy, user education and third party assessments are in place, as they are all vital parts of
information security. There is no silver bullet for information security and security products
alone are not a solution.
Is the behaviour of my staff enabling a strong security culture?
Staff education is key. It only takes one malicious email attachment to be opened or one
malicious website to be accessed to potentially compromise your whole business. Effectively
trained staff enable a strong security culture. Responsibility for information is shared amongst
all members of your organisation, so all staff should be aware of the threat to reduce the
security risk of valued information being stolen.
6
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
Are we ready to respond to a cyber security incident?
Will a compromise affect your continuity? Sadly, many organisations generally do not
take information security seriously until they have been compromised. Your systems could be
taken offline by an attack, for example through a Denial of Service attack (an attempt to flood
networks with unwanted traffic to disrupt or degrade services), affecting the availability and
resilience of your network. Having access to current threat information, including the likelihood
and consequences, will enable informed risk assessments. By assessing the risk and allocating
adequate resources to protect your information security assets, your organisation can build a
stronger security foundation and improve resilience.
Most organisations conduct fire drills—perhaps it’s also time to test your resilience against a
serious cyber security incident.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
7
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
The Australian Government Information
Security Manual
The ISM, issued by ASD, is the Government’s flagship product designed to assist Australian
government agencies in applying a risk–based approach to protecting their information and
ICT systems. This manual supports the guiding principles and strategic priorities outlined in
the Australian Government Cyber Security Strategy by providing detailed information about
the cyber security threat, as well as assisting agencies in determining appropriate controls to
protect their information and systems.
While there are other standards and guidelines designed to protect information systems, the
advice in the ISM is specifically based on activity observed by ASD on Australian government
networks.
Format
The ISM is comprised of a high level ‘principles based’ document and a detailed Controls
manual, further complemented by an ‘Executive Companion’. This format is designed to be
more accessible to a wider audience across all levels of government to improve awareness of
information security issues.
Information Security Manual
This product suite targets different areas of your agency to ensure that key decision makers
across government are made aware of and involved in countering threats to their information
and ICT systems.
Executive
Companion
Information Security
Principles
Information Security
Controls
Device Specific Guides
Protect Publications
Australian Communication Security Instructions
8
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
These products are designed to complement each other and provide agencies with the
necessary information to make informed decisions based on their own business requirements,
specific circumstances and risk appetite.
The Executive Companion is targeted towards the most senior executives in each agency,
such as Deputy Secretaries, Secretaries and Chief Executive Officers, and comprises broader
strategic messaging about key information security issues.
The Principles document is aimed at Security Executives, Chief Information Security Officers,
Chief Information Officers and senior decision makers across government and focuses on
providing agencies with a better understanding of the cyber threat environment and rationale
to assist agencies in developing informed information security policies within
their organisations.
The Controls manual is aimed at IT Security Advisors, IT Security Managers and security
practitioners across government. This manual provides a set of detailed controls that, when
implemented, will help agencies adhere to the higher level Principles document.
ASD information security policies and guidance produced in addition to this manual may
address device and scenario–specific security risks to government information and systems.
Not all ISM requirements can be implemented on all devices or in all environments. Where
stipulated, these take precedence over the platform non–specific advice in this manual.
ASD produces information security policies and guidance in addition to this manual, such as
Australian Communications Security Instructions (ACSI), consumer guides, hardening guides
and Protect publications.
Compliance
The ISM provides agencies with a set of detailed controls that can be implemented to mitigate
risks to their information and systems. Agencies are encouraged to make informed, risk–based
decisions specific to their unique environments, circumstances and risk appetite.
There are two categories of compliance associated with the controls in this manual—‘must’
and ‘should’. These compliance requirements are determined according to the degree of
security risk an agency will be accepting by not implementing the associated control. ASD’s
assessment of whether a control is a ‘must’ or a ‘should’ is based on ASD’s experience in
providing cyber and information security advice and assistance to the Australian government
and reflect what ASD assesses the risk level to be. Agencies may have differing risk
environments and requirements, and may have other mitigations in place to reduce the
residual risk to an acceptable level.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
9
I N F O R M AT I O N S E C U R I TY: C O U N T E R I N G T H E T H R E AT
ASD’s Role
What ASD can do for you
As directed by the Intelligence Services Act 2001, ASD provides foreign signals intelligence
as well as advice and assistance on matters relating to the security and integrity of electronic
information. These twin missions complement each other, with the skillsets and capabilities
required to be an expert at one being precisely those required to master the other. It is the
same reasoning why Australia’s signals intelligence and information security functions were co–
located in the Defence Signals Bureau—the forerunner of ASD—more than 60 years ago.
As the Commonwealth authority on information security, and informed by its signals
intelligence expertise and capabilities, ASD can provide agencies with advice and assistance
as well as further information on the cyber threat. ASD conducts a number of workshops
and forums with IT Security Advisors throughout the year to facilitate open discussion on
countering the cyber threat. These discussions focus on the challenges faced by Australian
government agencies in protecting their information and systems.
The CSOC, located in ASD, provides coordinated operational responses to cyber security
incidents of national importance. The CSOC is a resource designed to serve all government
agencies and has embedded representation from the Australian Defence Force, Defence
Intelligence Organisation, Australian Security Intelligence Organisation, Australian Federal
Police and CERT Australia.
What you can do for ASD
Successfully protecting Australian networks from an increasingly sophisticated and persistent
cyber threat requires strong collaboration. While ASD can provide technical advice and
assistance, we can not tackle this challenge alone. Reporting of cyber security incidents
provides ASD with greater visibility of the threat environment and assists in the prevention of
cyber intrusions on Australian government networks.
While the information in the ISM is extensive, it represents advice at a point in time as
technology and the threat environment continue to evolve. Please keep us informed on how
we can continue to provide tailored advice that best meets the needs and requirements of
your agency. ASD will focus on providing advice according to where it is most needed.
Contact
For all urgent and operational enquiries:
• Phone 1300 CYBER1 (1300 292 371) and select 1 at any time.
• Fill out a cyber security incident report form on the OnSecure website
(www.onsecure.gov.au).
For all non–urgent and general enquiries:
• Phone 1300 CYBER1 (1300 292 371) and select 2 at any time.
• Use the Advice and Assistance form on the OnSecure website. Australian Government–
sponsored customers who do not have an OnSecure account should apply for one.
• Email: [email protected].
10
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
PRINCIPLES
11
P rinciples : I nformation S ecurity R isk M anagement
Principles
Information Security Risk Management
Rationale
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce
risk to an acceptable level.
The ISM is designed as a tool to assist Australian government agencies to risk–manage
the protection of their information and systems. It represents best practice in mitigating or
minimising the threat to Australian government systems. However, there is no one–size–fits–all
approach to information security. Taking a risk management approach to information security
provides agencies with the flexibility to allow for differences in their environment when making
security decisions. Agencies will have different security requirements, business needs and risk
appetites from one another. It may not be possible or appropriate for an agency to implement
all security controls included in the Controls manual.
Information security risk management requires agencies to understand the security risks they
face, to make informed decisions when using technology. Understanding the risk environment
specific to your agency will also enable greater flexibility and adaptability in responding to
changes to that environment as the threat landscape evolves.
Scope
This chapter describes the expectations on Australian government agencies in taking a risk
management approach to information security.
Principles
1.
Requirement to Adopt a Risk Management Approach
Provide accountable authorities with a holistic understanding of their security
posture by incorporating information security into an agency’s broader risk
management practices.
It is a mandatory requirement of the Australian Government Protective Security Policy
Framework that agencies adopt a risk management approach to cover all areas of protective
security across their organisation. Since an agency’s risk owner is accountable for an
information or cyber security incident, it is important they are made aware of any residual
risks to agency information and systems through a formal approval process. Information
security should therefore be incorporated into an agency’s broader risk management practices.
12
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : I nformation S ecurity R isk M anagement
2.
Information Security Risk Management Process
Implement a risk management approach to information security by identifying,
analysing, evaluating and, where appropriate, treating security risks to information
and systems.
Risk management allows agencies to balance the operational and economic costs of
information security measures with the need to protect the information and systems that
support their organisational functions.
The process of identifying, analysing and evaluating information security risks can help
agencies select security controls suitable for their unique business environments. Risks
deemed unacceptable are treated by implementing appropriate security measures. Risks
deemed acceptable, as well as any residual security risks, are formally accepted by an
appropriate authority.
The ISM communicates potential information security risks faced by Australian government
agencies. It can assist agencies in understanding the consequences of non–compliance with
advised security controls and whether such non–compliance presents an acceptable level of
risk. The ISM Controls manual provides guidance on appropriate risk mitigation strategies.
As a whole–of–government policy document, the advice in the ISM is necessarily device and
agency non–specific. Not all ISM requirements can be implemented on all devices or in all
environments. In these cases, device–specific advice issued by ASD may take precedence
over the advice in the ISM. Agencies should familiarise themselves with other documentation
suites issued by ASD. Relevant documentation is referenced in each section of the ISM
Controls manual.
References
Further information on risk management and protective security requirements can be found in
the Australian Government Protective Security Policy Framework, available at
www.protectivesecurity.gov.au.
For further guidance please refer to the Australian Standard for Risk Management AS/NZS
ISO 31000:2009, the Australian Standards HB 167:2006 Security risk management and HB
327:2010 Communicating and consulting about risk.
The Protective Security Training College, managed by the Attorney–General’s Department,
provides formal training opportunities on the subject of security risk management:
www.ag.gov.au/NationalSecurity/ProtectiveSecurityTraining/Pages/default.aspx.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
13
P rinciples : R oles and R esponsibilities
Roles and Responsibilities
DID
D I D YOU
YO U K N
NOW?
OW?
Rationale
The leadership of a
Chief Information
Security Officer or
equivalent position
can substantially
reduce the overall
cost of data
breaches.6
Managing information security at the senior executive level
provides agencies with strategic–level guidance that ensures
compliance with national policy, standards, regulation and
legislation. Further, senior support best ensures an agency’s
ability to restore business–critical services to an operational
state in the event of a disaster.
Duties should be assigned to individuals with an appropriate
level of authority, access to information and resources,
technical expertise and time to dedicate to meeting these
responsibilities. Agencies should also ensure there is
sufficient separation of duties to provide quality assurance
and avoid any actual or perceived conflict of interest.6
Scope
This chapter describes roles and responsibilities concerning information security.
Principles
1.
Visibility
Provide personnel, including decision makers, with sufficient information to
perform their duties by adopting a robust and effective governance framework.
An effective information security governance framework will provide decision makers with a
current, accurate and holistic understanding of the threat environment, enabling them to make
informed risk–based decisions in relation to information security. It is also important to ensure
that this information is passed to system owners and stakeholders and that it is considered
during accreditation activities.
2.
Accountability
Ensure duties are undertaken at an appropriate level and conducted accountably by
adopting a governance framework with clearly defined roles and responsibilities.
A strong governance framework will promote accountability and ensure that all duties are
appointed to individuals with an appropriate level of authority.
3.
Probity
Reduce the likelihood of an actual or perceived conflict of interest by maintaining
clear separation of duties.
The separation of duties can prevent an actual or perceived conflict of interest. For instance,
there can be a conflict of interest in a system owner assessing the security of their own system.
References
Nil.
6 Ponemon Institute, 2009 Annual Study: Cost of a Data Breach — Understanding Financial Impact,
Customer Turnover and Preventative Solutions, 2010.
14
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : I ndustry E ngagement and O utsourcing
Industry Engagement and Outsourcing
Rationale
Outsourcing can be a cost–effective option for providing information technology services and
functions in an agency, as well as potentially delivering a superior service. However, it can also
affect an agency’s risk profile and control over its threat environment. Storing data in multiple
disparate locations and allowing more people to access agency information can significantly
increase the potential for network infection and information loss or compromise.
DID
D I D YOU
YO U K N
NOW?
OW?
Cloud computing—abstracted, scalable ICT
infrastructure that can be leased to customers
In 2011, 41% of data
on a ‘pay as you go’ basis—will be one of the
breaches were caused
most significant shifts in ICT in the next decade.
by a third party,
Circumventing the need for infrastructure management
namely outsourcers,
has clear financial and operational benefits for
cloud providers or
agencies. However, due to the Internet–connected
business partners that
nature of cloud computing, any data stored on this
handled or accessed
type of network is vulnerable to malicious cyber
the organisation's
activity. Moreover, the physical data storage location—
information.7
and the people responsible—will not necessarily be
known to the customer. This diminishes customer
control over threat mitigation and response and
increases the threat from malicious insiders. The Attorney–General’s Department has produced
a document outlining the Australian Government Policy and Risk management guidelines for
the storage and processing of Australian Government information in outsourced or offshore
ICT arrangements. This guidance should be consulted in addition to ASD’s Cloud Computing
Security Considerations, when considering outsourcing agency ICT functions.7
Scope
This chapter provides information on outsourcing information technology services and
functions to industry, as well as providing them with access to information in order to
undertake their duties.
Principles
1.
Industry Engagement and Outsourcing
Maintain the confidentiality, integrity and availability of information by ensuring
agency approved security measures are implemented by service providers handling
agency information, and that sensitive or classified information remains within
Australian borders at all times.
Ensuring that service provider systems are located in Australia and are accredited to the same
minimum standard as the sponsoring agency’s systems provides assurance that sensitive or
classified information is receiving an appropriate level of protection. The risk of a malicious
actor accessing agency information greatly increases if the information is stored or transmitted
outside Australian borders.
7 Ponemon Institute, Cost of a Data Breach Study, 2012.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
15
P rinciples : I ndustry E ngagement and O utsourcing
References
Additional information regarding cloud computing security considerations can be found on the
ASD website at www.asd.gov.au/infosec/cloudsecurity.htm.
The Australian Government Information Management Office (AGIMO) is the lead agency for
whole–of government policy on cloud computing. Relevant documentation can be found at
www.finance.gov.au/cloud/.
The Attorney–General’s Department’s Australian Government Policy and Risk management
guidelines for the storage and processing of Australian Government information in outsourced
or offshore ICT arrangements can be found at
www.protectivesecurity.gov.au/informationsecurity/Pages/Supporting-guidelines-toinformation-security-(including-the-classification-system).aspx.
Better practice guidance developed by the Attorney–General’s Department can be found in
Security of Outsourced Services and Functions at www.protectivesecurity.gov.au.
16
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : I nformation S ecurity D ocumentation
Information Security Documentation
Rationale
Documentation is vital to any information security regime, as it supports the accurate and
consistent application of policy and procedures within an agency. Documentation also provides
increased accountability and a standard against which compliance can be measured.
The following suite of documents forms the Information Security Management Framework,
as mandated in the Australian Government Information Security Management Protocol of the
Australian Government Protective Security Policy Framework:
1. Information security policy. To set the strategic direction for an agency’s information
security and allow management to communicate its goals and expectations.
2. Security risk management plan. To identify security risks and appropriate mitigation
measures for systems and determine a risk tolerance threshold, ensuring risks are able to
be managed in a coordinated and consistent manner across an agency.
3. System security plan. To ensure specific security measures for the implementation and
operation of a specific system are adequately communicated and considered.
4. Standard operating procedures. To assist personnel to follow security procedures in an
appropriate and uniform manner, with a minimum level of confusion.
5. Incident response plan. To communicate which actions to take in response to a cyber
security incident, with sufficient flexibility, scope and detail to address the majority of
incidents which could arise.
6. Emergency procedures. To ensure information and systems are properly secured before
personnel evacuate a facility, as emergency situations can be exploited as an opportunity
for a malicious actor to gain access to systems.
7. Business continuity and disaster recovery plans. To help maintain security in the face of
unexpected events and changes by ensuring critical functions continue to operate when
a system is working in a degraded state or reducing the time between when a disaster
occurs and critical functions being restored.8
DID
D I D YOU
YO U K N
NOW?
OW?
To avoid confusion and ensure information security policy and procedures are properly applied,
it is essential that all documents work in concert with, and not contradict, each other. Clear
and logical wording will ensure the documents are easy to use and, consequently, effective.
Three out of four companies across ten countries—including Australia—have
security policies in place.
However, 40% of employees and 20% of IT professionals did not know that the
security policies existed.8
8CISCO, Annual Security Report, 2008.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
17
P rinciples : I nformation S ecurity D ocumentation
The cyber threat environment is dynamic—so too are agency business requirements. If an
agency fails to keep its information security documentation current through regular reviews
to reflect the changing environment, their security measures and processes may cease
to be effective. In that situation, resources could be devoted to areas that have reduced
effectiveness, or are no longer relevant.
Scope
This chapter describes the development of information security documentation for systems.
Principles
1.
Information Security Documentation
Apply agency policy and procedures consistently and accountably by adopting a
comprehensive suite of information security documentation, which is regularly
reviewed and tailored to specific systems and user roles.
An appropriate and interconnected suite of information security documentation assists in the
proper, consistent and accountable application of policy and procedures within an agency.
Agencies need to communicate new or altered policies and procedures to stakeholders to
ensure they are properly implemented.
References
Information on the development of security risk management plans can be found in the
Information Security Risk Management Guidelines available from Standards Australia at
www.standards.org.au.
Information relating to the Information Security Management Framework is contained in
the Australian Government Information Security Management Protocol of the Australian
Government Protective Security Policy Framework, which can be found at
www.protectivesecurity.gov.au.
18
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : S ystem A ccreditation
System Accreditation
Rationale
Accreditation is the process by which an appropriate authority formally recognises and accepts
that residual risks on a system are appropriate for the classification of the information that it
processes, stores or communicates. Agencies must accredit all systems before they can be put
into operation. Accreditation provides agencies with assurance that either sufficient security
measures have been put in place on their systems or deficiencies in such measures have
been accepted by an appropriate authority. The following diagram shows, at a high level, the
process of accreditation:
System Owner
Accreditation
Authority
Certification
Authority
Assessor
Requests
accreditation
Requests
reaccreditation
Requests
certification
Requests audit
Conducts first
stage audit
Implements
controls
Conducts second
stage audit
Assess audit
report and
residual risk
Awards
certification
Assesses
certification report
Assesses residual
risk and other
factors
Awards
accreditation
Operates system
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
19
P rinciples : S ystem A ccreditation
The accreditation process does not only apply to new systems. It is important that systems are
reaccredited as the information technology and cyber threat environments continue to evolve.
Performing regular accreditation facilitates understanding of a current system's security
environment and provides assurance that information systems are of a standard that meet
the agency’s security requirements. Once a system has been accredited, conducting continual
monitoring activities will assist in assessing changes to its environment and operation to
determine the implications for the risk profile and accreditation status of the system.
When accrediting a system, it is also important to remain aware of legislative and policy
requirements if a system is connecting to another party. Agencies should ensure they are
aware of the security measures the other party has implemented to protect their information,
and accept any risks associated with connecting to such systems. Further, it is vital that
Australian citizens maintain control of systems that process, store and communicate Australian
Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.
Scope
This chapter describes the accreditation framework for systems and agencies’ responsibilities.
Principles
1.
Accreditation Framework
Ensure that an appropriate level of security is being applied to agency systems,
and that any residual risks have been accepted, by adopting a robust accreditation
framework.
An appropriate accreditation framework will comprise clear lines of accountability and a
segregation of roles and responsibilities to provide agencies with an impartial mechanism to
assess the security of their systems.
2.
Conducting Audits
Certify agency systems under the accreditation framework by conducting
impartial audits.
The aim of an audit is to review the system architecture (including the information security
documentation) and assess the actual implementation, appropriateness and effectiveness
of controls for a system. Audits are typically undertaken by Information Security Registered
Assessors.
The outcome of an audit is a report to the certification authority describing areas of
compliance and non–compliance for a system and any suggested remediation actions. The
compliance report helps the certification authority assess the residual risk relating to the
operation of a system following the audit and any remediation activities the system owner may
have undertaken.
3.
Conducting Certifications
Independently verify the integrity and accept the outcome of an audit by certifying
a system as part of the accreditation framework.
20
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : S ystem A ccreditation
Certification provides the accreditation authority with information on the security posture of
a system. This allows the accreditation authority to make an informed decision on whether
the residual risk of allowing the system to operate is acceptable. The certification authority is
typically the officer responsible for overseeing information technology security management
across the agency. However, ASD acts as the certification authority in the case of TOP
SECRET systems.
Certification for a system will be awarded once a certification authority is satisfied that the
system has been appropriately audited and the controls identified by the system owner have
been implemented and are operating effectively. The certification authority can then make a
recommendation to the accreditation authority on whether to award accreditation or not based
on an assessment of the residual risk relating to the operation of the system.
4.
Conducting Accreditations
Accept that the residual security risks on an agency system are appropriate for the
information it processes, stores or communicates by accrediting the system before
being put into operation.
Accreditation of a system ensures that either sufficient security measures have been put in
place or that deficiencies in such measures have been accepted by an appropriate authority.
An accreditation authority awards approval to operate the system and is typically the agency
head or at least a senior executive who has an appropriate level of understanding of the risks
they are accepting on behalf of the agency. The exception is for TOP SECRET systems, for
which ASD is the accreditation authority.
References
Policy and Procedures for the Information Security Registered Assessor Program contains a
definition of the range of activities Information Security Registered Assessors are authorised to
perform. It can be obtained from ASD’s website at www.asd.gov.au/infosec/irap.htm.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
21
P rinciples : I nformation S ecurity M onitoring
Information Security Monitoring
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Information security is a continual process, one that extends beyond ensuring that a system is
secure at the time of deployment. Vulnerabilities can be introduced into a system through poor
design, planning, implementation, change management or maintenance, as well as through
changes in technology or attack vectors. Unmitigated vulnerabilities provide the means for a
malicious actor to compromise systems and information.
During a 2011 information
systems audit, 14 out of
15 Western Australian
government agencies
failed to detect, prevent
or respond to suspicious
scans of their Internet
sites seeking to identify
security weaknesses.9
Information security monitoring practices can help
ensure that new vulnerabilities are addressed and
security is maintained through unforeseen events
and changes, whether internal to the system or in
the system’s operating environment. Such practices
allow agencies to be proactive in identifying,
prioritising and responding to risks. Measures to
monitor and manage vulnerabilities in, and changes
to, a system can provide an agency with valuable
information about its level of exposure to threats, as
well as assisting agencies in keeping up to date with
industry and product advances.9
Scope
This chapter describes the importance of vulnerability management activities and robust
change management processes.
Principles
1.
Vulnerability Management
Maintain the security posture of systems by implementing appropriate vulnerability
management practices.
Vulnerability management activities, such as regular vulnerability assessments, analysis
and mitigation, assist in maintaining system security as threat environments change over
time. Vulnerability assessments allow agencies to identify security weaknesses caused by
misconfigurations, bugs or flaws. Once a vulnerability is detected, an agency is able to
determine a way forward through vulnerability analysis, assessing the vulnerability’s potential
impact and available mitigation strategies. Vulnerability mitigation is the process of applying
the chosen mitigations in an effective and timely manner in order to eliminate or minimise
the risk.
9 Auditor General of Western Australia, Information Systems Audit Report (Report 4), June 2011.
22
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : I nformation S ecurity M onitoring
2.
Change Management
Ensure an agency’s approved security risk threshold is maintained when
implementing system changes by applying appropriate change management
processes.
Implementing changes to a system can impact upon its overall risk. A sound change
management process ensures changes are made in an accountable manner with due
consideration and with appropriate approval.
It also provides agencies with the opportunity to, if necessary, initiate a reaccreditation
process or apply vulnerability management practices, minimising the risk of system security
degrading over time.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
23
P rinciples : C yber S ecurity I ncidents
Cyber Security Incidents
Rationale
Cyber security incidents have the potential to cause significant damage to agency business
functions or to the broader government and can result in financial loss, loss of customer
confidence and negatively impact the reputation of an agency or government.
DID
D I D YOU
YO U K N
NOW?
OW?
Agencies can lessen the impact, and the immediate and long term response costs, of a cyber
security incident by investing in effective measures to detect, prevent, report and manage
cyber security incidents. Such measures can help identify gaps in information security policies
and procedures, and assist in the development of additional measures required to prevent
future incidents occurring.
22 Australian
companies in a 2011
study lost between
3,200 and 65,000
individual records from
data breach incidents,
with an average
organisation cost
per breach of $2.16
million.10
The development of a robust cyber security incident
management and response plan positions an agency to
detect threats and respond swiftly and appropriately in
the event of a cyber security incident. Having sound and
up to date knowledge of the affected system will enable
an agency to quickly identify the cause and extent of the
incident and restore the system to an operational and
secure state as soon as possible.10
Additionally, actively monitoring the cyber security threat
environment and actioning advice provided by ASD will
assist in evolving agency understanding of the cyber
threat and help inform agency incident
response planning.
Users of an agency system should be considered an important and integrated element of
any agency’s cyber security detection and response strategy. Many potential cyber security
incidents are noticed by users before security staff are alerted by technical measures. For this
to happen, users must receive training on information security, including how to recognise and
respond to potential cyber incidents, and be provided with a process to report any observed
or suspected security incidents. In addition, users need to be aware of how to respond to
incidents in an appropriate manner. This can assist an agency in recording all cyber security
incidents—particularly those which a security manager or system owner fail to notice—as well
as ensuring that any digital evidence relating to an incident is managed so that it remains
accessible and usable for as long as it is needed. This includes ensuring that metadata about
the digital records, who used them, and how they were used is retained.
Scope
This chapter describes the detection, reporting and management of cyber security incidents.
10 Ponemon Institute, 2011 Cost of a Data Breach Australia, 2012.
24
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C yber S ecurity I ncidents
Principles
1.
Detection
Reduce the impact and time taken to resolve cyber security incidents by
implementing proper procedures and appropriately configured technical measures.
Early cyber security incident detection allows for early response and resolution. Detection tools
and procedures work to mitigate the most common methods of attack used to exploit systems.
Measures for detecting cyber security incidents include intrusion detection strategies, malicious
code countermeasures, audit analysis and system integrity checking. However, automated
tools are only as good as the analysis they provide. If tools are not adequately configured
to assess potential security risks then it will not be evident when a weakness emerges.
Additionally, regular updates to detection tools to include new known vulnerabilities will help
avoid a degradation in their effectiveness over time.
2.
Reporting
DID
D I D YOU
YO U K N
NOW?
OW?
Maintain an up to date and accurate understanding of the cyber threat environment
specific to your network and contribute to the overall cyber threat picture by
implementing internal and external cyber reporting procedures.
85% of data
breaches in 2011
took weeks or
more to discover.
In fact, over half
of the breaches
took months to
discover.11
Robust measures for reporting cyber security incidents can
provide management with a means to assess the overall
damage to a system and to take remedial action, including
seeking advice from ASD if necessary.11
The ASD–established Cyber Security Incident Reporting
Scheme assists in maintaining an accurate threat
environment picture for systems across government.
ASD uses cyber security incident reports as the basis for
recognising trends, identifying and responding to incidents,
and for developing new policies, procedures, techniques
and training to prevent the recurrence of similar incidents
across government. Reporting cyber security incidents to
ASD through the appropriate channels ensures proper and timely assistance can be provided.
Reporting any cyber security incident involving the loss or misuse of cryptographic keying
material is critical, as system users rely on this technology for the confidentiality and integrity
of their secure communications.
3.
Management
Enable necessary information to be retained to resolve current, or mitigate future,
cyber security incidents by implementing appropriate management procedures.
Proper management of cyber security incidents—such as recording incidents, designating
responsibilities, handling and containing data spills and malicious code infections, and securing
the integrity of evidence—can help resolve current and prevent future occurrences. Recording
cyber security incidents can highlight the nature and frequency of incidents, to assist in taking
corrective action and informing future risk assessments for systems.
11Verizon, 2012 Data Breach Investigations Report, 2012.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
25
P rinciples : C yber S ecurity I ncidents
Using the information gained during an incident can better prepare an agency for handling
future incidents and provide stronger protection for systems and information. Maintaining
the integrity of evidence—such as logs, audit trails and other detection tool outputs—after
an incident ensures better assistance can be provided. Protecting digital evidence is not
only important for investigations leading to criminal prosecution, but is vital to ASD when
responding to and investigating cyber security incidents. Moreover, agencies are required
under the Archives Act 1983 to retain records such as event logs and audit trails for specific
minimum periods.
References
Further information on minimum retention periods for Commonwealth records is provided in
the National Archives of Australia’s Administrative Functions Disposal Authority, which can be
found at
www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx.
26
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : P hysical S ecurity
Physical Security
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Physical security is fundamental to all security efforts. Without adequate physical security
controls, all other information security measures are considerably more difficult, if not
impossible, to initiate. Physical security requires that equipment and infrastructure be
safeguarded in a way that minimises the risk of resource theft, destruction or tampering, for
example by limiting access to areas housing network infrastructure.
30% of IT
professionals
interviewed in
Australia had
encountered issues
with people having
unauthorised
physical and
network access.12
Physical security can not only assist in preventing malicious
damage, but also reduces the risk of accidents and
inadvertent errors affecting a system.
A single layer of physical security, such as an identification
pass that allows building access, is insufficient to mitigate
the risk of compromise. A layered approach to physical
security works to progressively limit access to systems and
infrastructure to authorised personnel only, and prevent a
shortfall in one security layer from leading to a wider, more
serious failure. This is a practical example of the defence–
in–depth concept being applied to the information security
space. As an example of a layered approach, an agency
could require identification passes for building access as well as targeted swipe access to
specific rooms which accommodate lockable containers for storing information or equipment.12
Scope
This chapter outlines the physical security requirements for ICT systems and should be read
in conjunction with the physical security components of the Australian Government Protective
Security Policy Framework.
Principles
1.
Physical Security for Systems
Limit access to facilities, servers, network devices, ICT equipment and media to
authorised personnel only by applying appropriate physical security controls in
accordance with the Australian Government Protective Security Policy Framework.
The application of defence–in–depth to the protection of systems is enhanced through the use
of successive layers of physical security, designed to limit access to those with the need and
appropriate authorisation to access facilities, systems, network infrastructure, ICT equipment
and media.
12CISCO, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, 2008.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
27
P rinciples : P hysical S ecurity
References
Physical security requirements and guidance can be found in the Australian Government
Protective Security Policy Framework available at www.protectivesecurity.gov.au.
In addition, the Security Equipment Catalogue, produced by the Security Construction and
Equipment Committee (SCEC), provides a list of security products and vendor contact details.
28
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : P ersonnel S ecurity
Personnel Security
Rationale
Personnel security refers to measures which work to manage the risk of a trusted insider using
their legitimate access to an agency’s facilities, assets, systems or people for illicit gain or to
cause harm, whether intentional or inadvertent. Implementing a personnel security framework
assists agencies in identifying any ‘inside threats’ they could confront, and provides the tools
to manage the associated risks.
Personnel security is about being educated, informed and proactive. By accessing an
agency’s information systems, employees are able to identify and understand procedures
and vulnerabilities, and know how and when they can be exploited. Legitimate access can be
abused or poor access controls can be manipulated to gain unauthorised access. Together
with an intent to commit theft, sabotage or to disclose sensitive or classified information, an
employee can cause significant damage to an agency’s reputation, operations, productivity
or finances. Appointing suitable and trustworthy personnel to operate, maintain and access
information systems creates the first line of defence in an agency’s security posture.
On the other hand, personnel can cause unintentional harm if they are unaware of their
security responsibilities and role in protecting an agency’s systems and information. If policies
are to be successful in preventing the compromise or unauthorised disclosure of information,
they need to be adopted and practiced by all agency personnel on a daily basis. For example,
social engineering campaigns aim to exploit weaknesses in personal judgment and decision–
making to compromise or gain access to an agency’s system or information. Fostering a
culture of security awareness and responsibility through effective training and awareness
programs is vital in ensuring individuals make the security decisions expected of them.
Scope
This chapter describes information security awareness and training for personnel, and the
responsibilities of personnel using Internet services.
Principles
1.
Information Security Awareness and Training
Foster an effective security culture within an agency by providing all personnel
with ongoing information security awareness and training, tailored to system user
roles and responsibilities.
Fostering an effective security culture through tailored education plays a major role in
protecting agency systems and information from attack or compromise. Information security
awareness and training programs can educate system users, security practitioners and senior
decision–makers on the cyber threat environment, as well as generate support for agency
security requirements and familiarise users with their roles and responsibilities. The degree
and content of the programs will depend on the objectives of the agency, as well as the
classification of the systems involved.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
29
P rinciples : P ersonnel S ecurity
2.
Using the Internet
DID
D I D YOU
YO U K N
NOW?
OW?
Ensure personnel are able to use Internet services in a responsible, accountable
and security conscious manner by adopting effective usage policies and controls.
85% of all
malicious
software—
including viruses,
worms, spyware,
adware and
Trojans—comes
from the web.13
Some Internet services, such as public web–based email and
peer–to–peer applications, can allow personnel to bypass
security measures that agencies have put in place to protect
their systems. For example, when personnel receive files via
peer–to–peer file–sharing applications, instant messaging
or chat, they are often able to evade established security
measures for detecting and quarantining malicious code.
Further, some peer–to–peer Voice over Internet Protocol
(VoIP) applications, such as Skype, use protocols which
bypass firewalls, creating a vulnerable access point into the
system. Public web–based email can be easily exploited as a
backdoor entry route for malware.13
Agency staff need to be aware that any personal information they post on websites could
be used to inform phishing scams, or to develop a detailed profile of their life and hobbies
in order to build a trust relationship with them or associates. The relationship could then be
used to elicit government information from them or implant malware on systems by inducing
them to, for example, open emails or visit websites with malicious content. Even unclassified
information that appears to be benign in isolation could, when combined with other
information, have a considerable security impact.
Agencies can help to facilitate secure use of the Internet by implementing measures that
ensure Internet services and applications available to personnel are appropriately scanned for
malicious code and subject to inspection by intrusion detection systems.
References
For all other guidance on personnel security requirements, please refer to the Australian
Government Personnel Security Core Policy and the Australian Government Personnel Security
Management Protocol of the Australian Government Protective Security Policy Framework,
which can be found at www.protectivesecurity.gov.au.
For information on the personnel security threat environment, please refer to The Insider
Threat to Business– A personnel security handbook, as released by the Attorney‑General’s
Department. This can be found under the ‘Security’ heading at
www.tisn.gov.au/Pages/Publications-by-topic.aspx.
Information on the policy and regulations governing the disclosure and use of government
information by personnel can be found in the Managing Official Information section of APS
Values and Code of Conduct in Practice, located at
www.apsc.gov.au/publications-and-media/current-publications/aps-values-and-code-ofconduct-in-practice.
13Sophos, Security Threat Report 2012 — Seeing the Threats Through the Hype, 2012.
30
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C ommunications I nfrastructure
Communications Infrastructure
Rationale
With the proliferation of system connections across government, a robust cable management
regime can help agencies maintain the integrity and availability of their communications
infrastructure and the confidentiality and integrity of their information. Proper cable
management can minimise the likelihood of unauthorised personnel inadvertently or
deliberately accessing system cables. Laying cables in a controlled manner and ensuring
they are appropriately labelled, separated and accessible for visual inspection can help
detect any covert tampering or access to system cables that may otherwise result in long
term unauthorised access to corporate information by a malicious actor, or damage to
communications infrastructure that could impact the availability of system information.
Appropriate cable labelling can also prevent data spills by accidentally connecting one system
to another of a lesser classification.
Moreover, investment in adequate cable infrastructure and appropriate cable management
practices can result in considerable long term efficiencies over the life of an installation, as
technology and system requirements continue to evolve. For instance, initial investment
in fibre cable not only protects against unforseen threats, but enables information to be
communicated at higher classifications in the future.
Implementing accessible and visible cable infrastructure can significantly reduce expenses
resulting from future upgrades, accreditation, fault finding, configuration management and
regular inspection for tampering or degradation.
Compromising emanations from equipment and cables provides an opportunity for classified
or sensitive information to be intercepted. Some environments—such as mobile platforms and
deployable assets that process classified information—are particularly susceptible, and could
be seriously affected if compromised by an emanation security attack. ASD maintains up to
date emanation security threat assessments for relevant agencies to use when determining
emanation security measures and maintaining the confidentiality and availability of classified
systems. Having sound cable infrastructure and installation methodology provides protection in
the case that an agency’s emanation security threat increases.
Scope
This chapter describes the importance of securing communications infrastructure through
cable management and emanation security practices.
Principles
1.
Cable Management
Protect sensitive or classified information by applying appropriate cable
management practices.
Appropriate cable management practices can assist an agency to protect its information by
minimising the likelihood of unauthorised personnel inadvertently or deliberately accessing
system cables.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
31
P rinciples : C ommunications I nfrastructure
2.
Emanation Security
Minimise the disclosure of classified or sensitive information from compromising
emanations by implementing appropriate countermeasures informed by current
ASD emanation security threat assessments.
Reducing emanations to an acceptable level minimises the risk that an agency’s information
will be intercepted and its systems compromised. ASD maintains up to date emanation security
threat assessments for relevant agencies to use when determining emanation
security measures.
References
Additional information on conducting an emanation security threat assessment is found in
the latest version of Australian Communications Security Instruction 71—Guidelines for the
Installation of Communication and Information Processing Equipment and Systems.
Additional information on cables and separation standards, as well as the potential dangers
of operating radio frequency transmitters near systems is documented in the latest version
of Australian Communications Security Instruction 61—A Guide to the Assessment of
Electromagnetic Security in Military and High–Risk Environments.
32
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C ommunications S ystems and D evices
Communications Systems and Devices
Rationale
Communications systems and devices can act as a digital gateway for information coming
into and going out of a network, and can facilitate the disclosure of classified or sensitive
information, whether inadvertent or intentional. In some cases these devices could provide an
access point into any system to which the device connects.
Effective governance, including device usage policies and procedures, plays a vital role in
minimising the likelihood of data spills by ensuring personnel have sufficient knowledge of the
risk to, and methods to protect, classified and sensitive information which is being scanned,
copied, printed or communicated. Additionally, properly considering the physical positioning of
devices can reduce the potential of unauthorised access and modification.
Scope
This chapter describes the importance of implementing measures which facilitate the secure
use of radio frequency and infrared devices, fax machines, multifunction devices, as well as
fixed telephones and the systems to which they connect.
Principles
1.
Radio Frequency and Infrared Devices
Reduce the risk of data spills by implementing measures to prevent, detect and
respond to the unauthorised or unsecure use of radio frequency and infrared
communications devices.
Transmissions from radio frequency and infrared devices, for example Bluetooth and wireless
keyboards, can create an emanation security risk if not appropriately secured, positioned or
configured. Radio frequency devices are also capable of automatically connecting to systems
and potentially becoming unauthorised data storage devices. Moreover, the wireless transfer of
information can serve as an illicit entry point for an entire network.
Appropriately configuring wireless networks, positioning devices to restrict communications
from being transmitted into an unsecured space and using radio frequency shielding on
facilities will assist agencies in limiting wireless communications to areas under their control.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
33
P rinciples : C ommunications S ystems and D evices
2.
Fax Machines and Multifunction Devices
Maintain the confidentiality of sensitive or classified information by appropriately
configuring, and developing a proper usage policy for, fax machines and
multifunction devices.
DID
D I D YOU
YO U K N
NOW?
OW?
Fax machines and multifunction devices (MFDs)
are capable of communicating classified
In early 2011, the City of
information across a connected network. These
York Council in the United
devices can therefore facilitate data spills, for
Kingdom was penalised by the
instance by personnel scanning, copying or
Information Commissioner’s
sending information at a classification higher than
Office after papers containing
that of the network the devices are connected
sensitive personal data were
to. Developing an agency policy governing the
mistakenly collected from a
use of fax machines and MFDs can help prevent
shared printer and posted to
actions which can lead to the unauthorised
the wrong person.14
access to, and disclosure of, classified or sensitive
information. In addition, when a device is
connected to a computer network, it can become a bridge and therefore a potential vector
to access information which has been scanned, copied or printed. Properly configuring fax
machines and MFDs will assist in preventing malicious or inadvertent data spills. 14
3.
Telephones and Telephone Systems
Maintain the confidentiality of classified or sensitive information by developing a
usage policy governing, and appropriately configuring, telephones and telephone
systems.
The improper configuration and use of telephones and telephone systems can expose classified
or sensitive information to those not authorised to hear it. Telephones pose increased audio,
and, in the case of video conferencing, visual security risks, and information communicated
over unsecure telephone networks is exposed to interception. These risks can be reduced
by ensuring personnel are aware of their environment and given guidance regarding the
appropriate levels of information which can be discussed on particular telephone systems, as
well as implementing measures such as encryption and off–hook security—for instance, by
limiting the time an active microphone is open.
References
For more information relating to wireless communications and connectivity, please refer to the
Working Off–Site chapter of this document.
14 United Kingdom Information Commissioner's Office, News Release: Council printer mix–up breached
data protection laws, 5 April 2011.
34
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : P S P F M andatory R equirement I N F O S E C 4 E x plained
PSPF Mandatory Requirement INFOSEC 4
Explained
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Australian Government Protective Security Policy Framework (PSPF) mandatory requirement
INFOSEC 4 requires agencies to implement ASD’s Strategies to Mitigate Targeted Cyber
Intrusions (the Strategies) as outlined in the ISM Controls manual. To satisfy INFOSEC 4,
agencies are required to implement the Top 4 of the Strategies.
When implemented
as a package, ASD's
Top 4 mitigation
strategies would
have prevented
at least 85% of
intrusions ASD
responds to.
The Strategies were developed in order to mitigate
the most common cyber security threat being faced by
Australian government agencies at this point in time:
targeted cyber intrusions from the Internet to the work
station. The strategies represent a layered defence
designed to protect the workstation, and by extension the
corporate network, from targeted cyber intrusions. While
no single strategy can prevent malicious activity, at least
85% of the incidents that ASD responds to could have been
prevented by implementing the Top 4. As such, the PSPF
now requires government agencies to implement the Top 4.
The Top 4 Strategies are:
1. application whitelisting
2. patch applications
3. patch operating systems
4. minimise administrative privileges.
A list of the technical controls required in order to implement the Top 4 is outlined in the
PSPF Mandatory Requirement INFOSEC 4 Explained chapter of the Controls manual. The
implementation of the remaining Strategies is also strongly recommended, however these can
be prioritised based on business requirements and the risk profile of each system.
Scope
This chapter outlines the ISM controls that agencies must implement in order to be compliant
with PSPF mandatory requirement INFOSEC 4.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
35
P rinciples : P S P F M andatory R equirement I N F O S E C 4 E x plained
Principles
1.
Controls to meet PSPF requirement INFOSEC 4
Reduce the risk of targeted cyber intrusions by implementing the Top 4 of ASD’s
Strategies to Mitigate Targeted Cyber Intrusions where applicable.
As the Strategies are designed to mitigate targeted content–based intrusions (that is email
and web pages), priority for implementing the Top 4 Strategies should therefore be placed
on Australian government systems that are able to receive emails or browse web content
originating from a different security domain, particularly from the Internet.
Other systems will benefit from implementing the Top 4, and the Top 35 Strategies more
broadly, however there may be circumstances where the risks or business impact of
implementing the Strategies outweighs the benefit, and other security controls may have
greater relevance. In such circumstances, agencies should apply appropriate risk management
practices as outlined in the ISM.
Under the PSPF, non–compliance with any mandatory requirements must be reported to
an agency’s relevant portfolio minister, and also to ASD for matters relating to the ISM.
Compliance reporting to the relevant portfolio minister is not intended as an extra step in the
system accreditation process, nor is it assumed compliance must be gained before authority to
operate can be granted to a system.
References
Further information on the Strategies can be found in the following ASD Protect publications
available through the OnSecure portal and the ASD website at:
www.asd.gov.au/infosec/top35mitigationstrategies.htm.
•
Strategies to Mitigate Targeted Cyber Intrusions
•
Strategies to Mitigate Targeted Cyber Intrusions—Mitigation Details
•
Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement Explained
•
Top 4 in a Linux Environment
•
Application Whitelisting Explained
•
Assessing Vulnerabilities and Patches
•
Minimising Administrative Privileges Explained.
Further guidance on protective security policy and the PSPF is available at
www.protectivesecurity.gov.au.
36
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : P roduct S ecurity
Product Security
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
ICT security products, by default, do not provide security out–of–the–box and may contain
flaws or vulnerabilities which are able to be exploited by a malicious actor. With the
proliferation of product choices, it is increasingly difficult for agencies to know not only which
ICT security products are safe to use, but also which provide the most effective functionality
for their business needs and threat environment.
17% of IT
professionals
stated that
the use of
unauthorised
programs resulted
in as many as
half of their
company’s data
loss incidents.15
Agencies need confidence that the ICT security products
they select and use meet their organisational security needs,
address known vulnerabilities and remain secure given the
changing threat environment. An impartial evaluation of
the security product by an independent entity can assist in
achieving this confidence by verifying the security claims of a
product vendor and testing for vulnerabilities.15
ASD maintains and publishes the Evaluated Products List
(EPL)—which comprises evaluation and certification results
performed by ASD, the Australasian Information Security
Evaluation Program (AISEP) or from an ASD recognised
foreign scheme—to provide agencies with a list of
independently evaluated products to select from.
Products that have been formally evaluated can help increase an agency’s confidence that
a product will work as expected, but within a clearly defined set of constraints. Using an
evaluated product in a different way from which it was tested could introduce threats and
vulnerabilities that were not considered by the initial evaluation. In particular, greater product
convergence and inter–network connectivity means that many ICT security products require
third party hardware and software to operate, which can introduce new vulnerabilities that
may not have been tested for. Therefore, residual security risks still need to be acknowledged
and accepted when selecting and using products listed on the EPL.
Scope
This chapter describes the merit of applying ASD’s recommended risk–based processes to the
selection, acquisition, installation and configuration of ICT products which provide security
functions for the protection of information, as well as the value in following appropriate
labelling, maintenance, sanitisation and disposal procedures for such products.
15CISCO, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, 2008.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
37
P rinciples : P roduct S ecurity
Principles
1.
Product Security Lifecycle
Securely select, acquire, install, configure, label, maintain, repair, sanitise and
dispose of ICT products that provide information security functionality by applying
ASD’s recommended risk–based processes.
ASD publishes a list of evaluated products on the EPL to assist agencies in making risk–based
decisions for acquiring ICT security products. Selecting an ICT security product which has
been evaluated by ASD or another recognised scheme provides an agency with confidence that
the product will meet its business needs and accepted risk profile, and prevent unintended
software possibly containing malicious code from being installed.
Protective marking labels help determine appropriate handling, usage, sanitisation, disposal
or destruction requirements based on classification. Ensuring that technicians who are given
access to ICT products are either cleared or appropriately escorted, as well as sanitising or
declassifying products when taking the product off–site for repair or maintenance, reduces
the risk of unauthorised disclosure of classified or sensitive information. Following proper
sanitisation and disposal procedures also mitigates the risk of inadvertently releasing classified
information into the public domain.
2.
High Assurance Products
Seek ASD approval or guidance as appropriate before acquiring, configuring,
delivering, repairing, labelling, patching and disposing of High Assurance products.
Given the potential threat vectors and the value of the information being protected, ASD is
required to direct, and in some cases authorise, actions taken in regard to High Assurance
products. ASD guidance and authorisation helps ensure that the functionality and integrity
of such products are not degraded, for example when undertaking repairs or applying
external labels, as well as preventing opportunities for a malicious actor to gain insight into
government capabilities, such as through improper product disposal practices.
References
For further information on the AISEP and the EPL, please visit ASD’s website at
www.asd.gov.au/infosec.
38
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : M edia S ecurity
Media Security
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Instituting and maintaining a comprehensive media control program, including protecting
media according to the classification of the information it stores, can help agencies mitigate
the risk of disclosing classified or sensitive information. Best practice media security can help
protect against not only current exploits, but also exploits that could emerge in the future.
In a research experiment, the
Sophos Australia office discovered
that 66% of the 50 USB drives they
purchased from a public transport
provider were infected with malicious
software. They were able to uncover
information about many of the
former owners of the devices, as
well as their family, friends and
colleages.16
There are a number of security risks
agencies should be aware of when using
media. For instance, some operating
systems provide the functionality to
automatically run certain types of
programs that reside on media. While this
was designed for a legitimate purpose, it
can also be used for malicious purposes or
lead to inadvertent compromise.
If this functionality remains enabled,
malware can execute as soon as media
is connected to a system. Coupled with
the ability to insert media of a higher classification into a system of lower classification,
sensitive or classified information could be disclosed. Known vulnerabilities have also been
demonstrated where malicious actors can connect a device to a locked workstation and still
gain access to encryption keys. Furthermore, devices that have direct access to the system
memory can allow a malicious actor to read or write any content to memory that they desire.
The best defence against this vulnerability is to disable access to relevant ports, using either
software controls or by physically damaging the ports so that devices cannot be connected.
Implementing technical measures to ensure certain types of media need to be explicitly
approved for use in a classified environment provides an additional layer of user awareness
and security, in case users are unaware of, or choose to ignore, media security requirements.
Following sound security practices when connecting, storing, transferring, sanitising,
destroying or disposing of media plays a major role in preventing classified and sensitive data
spills and avoiding malicious attacks.
Documenting such policies and procedures will ensure they are carried out in accordance with
agency expectations.
Scope
This chapter describes the value of implementing appropriate media handling, usage,
sanitisation, destruction and disposal practices.16
16Sophos, Security Threat Report 2012 — Seeing the Threats Through the Hype, 2012.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
39
P rinciples : M edia S ecurity
Principles
1.
Media Handling
Establish a removable media policy to provide oversight and accountability for
agency information transported or transferred between systems on removable
media. Maintain confidentiality by accurately classifying, reclassifying
(following appropriate sanitisation or destruction procedures or changes to data
classification), labelling and registering media in accordance with the information
it stores.
Accurately classifying media provides appropriate protections for the information it stores.
Media that is not correctly classified carries a greater risk of being mishandled and accessed
by unauthorised persons. Labelling helps personnel to identify the classification and ensure
the media is afforded the appropriate level of security. A sound process for registering and
accounting for media helps minimise the likelihood of unauthorised disclosure of
classified information.
2.
Media Usage
Maintain the confidentiality of stored information by implementing and
documenting appropriate standards for connecting, storing and transferring media.
Implementing controlled and accountable processes for using media can minimise the risk of
unauthorised access and disclosure by preventing classified media from being connected to
systems of a lesser classification, as well as protecting information which is being stored or
transferred within a media device.
3.
Media Sanitisation
Reduce the likelihood of a data spill by implementing proper processes for
sanitising—that is, securely overwriting information on—media that is either no
longer required or before reuse.
Approved sanitisation methods provide a high level of assurance that no remnant data is
on the media. Sanitising media before reuse ensures that information is not inadvertently
accessed by an unauthorised individual or protected by insufficient security measures.
Independent verification provides assurance that the process was conducted correctly. It is
important to note that some media is not able to be sanitised because of the way information
is stored, for example microform and printer ribbons.
4.
Media Destruction
Prevent unauthorised access to stored classified or sensitive information by
destroying media that cannot be sanitised—under proper supervision and using
documented procedures, appropriate equipment and waste management and
transportation processes.
Media destruction methods are designed to ensure that recovery of data is impossible or
impractical. There are some types of, and specific circumstances under which, media cannot
be sanitised and therefore, if no longer required, must be destroyed.
40
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : M edia S ecurity
5.
Media Disposal
Minimise the likelihood of a data spill when media is released into the public
domain by declassification and a formal administrative decision to approve its
disposal—by an appropriate authority and according to an agency’s documented
procedures.
Appropriate media disposal practices are essential in ensuring that classified information
is not accidentally disclosed. Media can be disposed of only after it has been sanitised or
destroyed to a point where it no longer contains sensitive or classified information. A formal
administrative decision needs to be made to complete the declassification process and to allow
media to be released into the public domain.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
41
P rinciples : S oftware S ecurity
Software Security
Rationale
Software may contain flaws and vulnerabilities which are able to be exploited by a malicious
actor. These vulnerabilities can not only be used to gain unauthorised access to classified
or sensitive information, but also to undermine the integrity or availability of an agency’s
information—such as by targeting an agency’s public website to disrupt access or modify its
content for malicious purposes.
DID
D I D YOU
YO U K N
NOW?
OW?
Installing antivirus software and software–based firewalls that limit inbound and outbound
network connections are good first steps in reducing the risk of compromise. However,
software security degrades over time as malicious actors discover new vulnerabilities and
exploits, and these measures cannot be relied upon by themselves to protect workstations.
Ensuring software and operating system patches are up to date, and antivirus and other
security software is appropriately maintained with the latest signatures, helps address new
vulnerabilities as they emerge.
Web applications
are the third
most common
intrusion
vector and are
associated with
more than one
third of total data
loss.17
Agencies can also implement measures to help protect their
systems from unknown vulnerabilities, such as malicious code
not yet identified by antivirus or software vendors.
Restricting the running of applications on a system to only
those that are specifically authorised provides increased
protection against the execution and spread of malware. This
is known as application whitelisting.
Moreover, by limiting the promulgation of information about
what software has been installed on systems, agencies can
help prevent a malicious actor from gaining knowledge of how
to tailor potential attacks to exploit a particular vulnerability.
Database systems contain a wealth of information, and are therefore highly desirable targets
for cyber intruders, as compromising them can have significant and immediate payoffs.
Implementing appropriate security controls will reduce the risk of unauthorised individuals
accessing agency information held in databases, and accordingly reduce the risk involved with
data aggregation.17
Scope
This chapter describes the importance of implementing and maintaining proper software
security on agency systems.
17Verizon, Data Breach Investigations Report, 2012.
42
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : S oftware S ecurity
Principles
1.
Software Security
Maintain the confidentiality, integrity and availability of agency information and
protect against the execution and spread of malware by implementing appropriate
software security measures on systems.
Software vulnerabilities can be exploited by a malicious actor to gain access to agency
information or to undermine its confidentiality, integrity or availability. Measures such as
segregating networks and systems or limiting system privileges will assist in minimising the
spread of malicious code or the damage it could do to an agency’s system. Even though web
applications may only contain information authorised for release into the public domain, it is
important to ensure security measures are incorporated to protect the integrity and availability
of the information and the systems it is hosted on and connected to.
2.
Known Vulnerabilities
DID
D I D YOU
YO U K N
NOW?
OW?
Maximise software effectiveness and minimise vulnerabilities by implementing
and routinely updating preventative measures, such as applying system and
software patches, keeping antivirus signatures up to date and only running
supported software.
3.
In April 2013, more than 600,000
Mac users found themselves
recruited into the global
Flashplayer botnet due to a Java
vulnerability left unpatched on OS
X for far too long. Within weeks,
another vulnerability was found in
Java's secure application sandbox
for versions 5, 6 and 7. This new
exploit put 1 billion devices at
risk.18
Software security will degrade over time as
malicious actors continue to discover new
vulnerabilities and exploits. It is important
that agencies monitor available information
regarding new known vulnerabilities
and apply the security patches released
to address them as part of their risk
management program.
Patching operating systems and applications
are highly effective measures to prevent
malicious actors from exploiting known
vulnerabilities. Accordingly, these are two of
the Top 4 Strategies in ASD’s list of Strategies
to Mitigate Targeted Cyber Intrusions.18
Unknown Vulnerabilities
Maintain the confidentiality, integrity and availability of an agency’s information
by removing, disabling and preventing the execution of unauthorised, unused or
undesired software or software functionality wherever possible.
Restricting access to or disabling unauthorised, unused or undesired software or functionality
effectively limits a malicious actor’s opportunity to exploit software vulnerabilities. Application
whitelisting, which enables only specifically selected applications to be activated, is one of
the most effective approaches in countering unknown risks. An average system user requires
access to only a few applications, or groups of applications, in order to conduct their business.
18Sophos, Security Threat Report 2013, 2013
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
43
P rinciples : S oftware S ecurity
Restricting the user’s permissions to running a limited set of trusted applications significantly
reduces the opportunities available for attacking a system and provides an effective
mechanism to prevent system compromise due to the execution of unauthorised or malicious
software. Accordingly, application whitelisting is one of the Top 4 Strategies in ASD’s list of
Strategies to Mitigate Targeted Cyber Intrusions.
4.
Databases
Protect database systems and their contents from theft, corruption, loss and
unauthorised access by hardening through technical measures, administrator and
user policies and regular audits.
Using supported and patched database software, securely configuring database software and
stringently controlling database access will assist in protecting the contents of databases.
Assessing agency business requirements before storing sensitive information on databases is
imperative, as this can impact an agency’s risk profile. Additionally, removing pre–configured
default settings and placing database servers on a different network segment to agency
corporate workstations will improve database security.
References
Further guidance on ASD’s Strategies to Mitigate Targeted Cyber Intrusions can be found at
www.asd.gov.au/infosec/top35mitigationstrategies.htm.
44
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : E mail S ecurity
Email Security
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Email, because it enables the communication of information into and out of an agency, by
nature is insecure. Poor email security practices and implementation can lead to unauthorised
individuals easily gaining access to sensitive or classified agency information in emails
themselves, or through network compromise. Socially engineered emails are one of the most
common techniques used to spread malware on agency networks. This technique relies on
a user opening a malicious link or attachment. Motivated malicious actors can use these
methods to establish doorways into agency networks, which can result in agency information
being stolen, altered or even made unavailable. Agencies
can minimise their vulnerability to socially engineered
emails by properly implementing, monitoring and
The Public Sector was
maintaining the configuration of email servers, software
the industry most
and email applications. These measures will make it
targeted in August
difficult for malicious emails to enter an agency network
2013, with one in
and be delivered to users.
every 76.7 emails
being a socially–
engineered email.19
However, even with appropriate technical measures
in place, educating users to be aware of the threat of
malicious emails is one of the most important factors in
improving email security.
Scope
This chapter describes the value of the secure implementation and use of email on
agency networks.19
Principles
1.
Email Security
Protect the confidentiality, integrity and availability of information, and ensure
information can only be accessed by those intended and authorised to do so, by
implementing an email usage policy and applying appropriate security controls to
email applications and infrastructure.
Protectively marking all electronic–based information is critical for allowing appropriate
email security measures to be applied. Protective markings go a long way in preventing
unauthorised information from being released into the public domain. Applying appropriate
protective markings to emails will also assist in preventing the confidentiality of information
being inadvertently compromised as a result of activating automatic forwarding of sensitive or
classified emails.
19Symantec, Symantec Intelligence Report June 2011, 2011.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
45
P rinciples : E mail S ecurity
Securely configuring email infrastructure (such as blocking inbound and outbound email
with a protective marking higher than the classification of the receiving system) can protect
against data spills or the potential interception or compromise of information. Implementing
identification controls, such as digital signatures and Sender Policy Framework (SPF), can
also aid in the detection of spoofed emails that may contain malicious code designed to
compromise a network. In the case of SPF, the SPF record specifies a list of IP addresses or
domains that are allowed to send email from a specific domain. If the email server that sent
the email is not in the list, the verification fails.
Email messages are often routed through many email servers when travelling from sender to
recipient. For this reason, it is vital for agencies to put stringent measures in place to check
for malicious content (for instance, through a content filter) and confirm the validity of emails.
Socially engineered emails are one of the most common techniques used to spread malware.
Once technical measures fail, users are the last line of defence in ensuring a socially
engineered email does not lead to malware being installed on a workstation. Agencies need
to ensure their users are aware of the threat and educated on how to detect and report
suspicious emails. It is important, therefore, to implement an agency email usage policy and
communicate agency expectations and processes to their users.
References
Further information on Government–approved email marking standards can be found in
AGIMO’s Email Protective Marking Standard for the Australian Government
www.finance.gov.au/files/2012/04/EPMS2012.3.pdf.
Additionally, the implementation guide for the Email Protective Marking Standard for the
Australian Government is available at
www.finance.gov.au/files/2012/04/email_pmsig.pdf.
46
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : A ccess C ontrol
Access Control
Rationale
Agencies can manage access to system information through appropriate access controls,
restricting system access to authorised and successfully identified and authenticated users.
The automatic logging and subsequent auditing of information relating to network activities
will also increase the likelihood that malicious behaviour will be detected.
DID
D I D YOU
YO U K N
NOW?
OW?
44% of data
breaches are
a result of
exploitation
of default or
guessable
credentials.20
DID
D I D YOU
YO U K N
NOW?
OW?
Giving each user a unique identification ensures accountability and
enables agencies to attribute actions undertaken within a session to
specific personnel. Ensuring that users provide sufficient evidence
to verify their identity can also reduce the likelihood of a malicious
actor successfully masquerading as an authorised user—such as
a social engineering attack aimed at an agency service desk to
request a password reset for a system account.
In 2012, Russian
cybercriminals
posted nearly 6.5
million LinkedIn
passwords on the
Internet. Teams of
hackers had cracked
more than 60% of
these passwords
within days.21
Passwords and passphrases are common authentication techniques
which enable an agency to verify the stated identity of a user.
However, given the ever‑increasing processing power of home
computers, length and complexity requirements for passphrases will also continue to increase
to provide agencies with adequate protection against basic techniques such as brute–force
attacks—a simple six–letter password can be brute‑forced in minutes by software freely
available on the Internet. Agencies can mitigate this by implementing additional authentication
measures, such as multi–factor authentication, which requires the presentation of at least
two different kinds of evidence that someone is who they say they are. This can be achieved
through various means, including biometrics, cryptographic tokens and smartcards.20
Authorisation is the core of access control as it enforces
the need–to–know principle. Authorisation is two–fold.
Firstly, an individual needs to be authorised to have access
to a system, and secondly they need to be authorised
to access specific applications, databases or information
resources on a system. This is often achieved by using
access control lists.
User credentials should be given additional protection to
reduce the risk of a malicious actor finding and using the
information to access a system under the guise of a valid
user.
Scope
This chapter describes the importance of managing user access to system information and the
automatic logging and auditing of network activities.21
20Verizon, 2012 Data Breach Investigations Report, 2012.
21Sophos, Security Threat Report 2013, 2013
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
47
P rinciples : A ccess C ontrol
Principles
1.
Identification and Authentication
Ensure that access to a system is limited to users and devices that are authorised
to access it by adopting appropriate identification and authentication practices
and controls.
Strong identification and authentication mechanisms significantly reduce the risk that
unauthorised users will gain access to a system.
2.
System Access
Protect the confidentiality, integrity and availability of information on systems by
limiting authorisation to those with appropriate security clearances, briefings and a
demonstrated need–to–know.
Managing authorisations of users through the use of access controls on a system helps enforce
the need–to–know principle.
3.
Event Logging and Auditing
Detect and attribute any violations of information security policy—including cyber
security incidents, breaches and intrusions—by maintaining, auditing and ensuring
the availability and integrity of event logs.
DID
D I D YOU
YO U K N
NOW?
OW?
Event logging and auditing helps raise the security posture of a system by increasing the
accountability for all user actions, thereby improving the chances that malicious behaviour will
be detected. Agencies should ensure sufficient detail is recorded in order for the logs to be
useful when reviewed and determine an appropriate length of time for them to be retained.
Conducting audits of event logs should be seen as an integral part of system maintenance,
since they will help detect and attribute any violations of information security policy, including
cyber security incidents, breaches and intrusions. Agencies are required under the Archives Act
1983 to retain event logs and audit trails for a minimum of seven years.22
In 2012, a major data storage site admitted that usernames and passwords stolen
from other websites had been used to sign into a small number of its accounts.
One employee of the site had used the same password for all of their accounts,
including their work account with access to sensitive data. When the password
was stolen elsewhere, the attacker discovered that it could be used against the
data storage site.22
References
Further information on minimum retention periods for Commonwealth records is provided in
the National Archives of Australia’s Administrative Functions Disposal Authority, which can be
found at
www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx.
22Sophos, Security Threat Report 2013, 2013
48
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : S ecure A dministration
Secure Administration
Rationale
Secure enterprise administration allows agencies to be resilient in the face of malicious cyber
intrusions by protecting privileged machines and accounts from compromise, as well as making
an adversary's movement through a network more difficult.
By implementing technical controls and configuring networks to improve administration
security, it is more likely the secure administration system will withstand a cyber intrusion.
This can limit damage and can make incident response far more agile, allowing remediation
work to be completed faster.
Scope
This chapter describes the importance of applying security controls and processes to improve
The security of administrative credentials, infrastructure and actions performed on a network
or system.
Principles
1.
Secure Administration
Increase the level of assurance that administrator activities and credentials will
not be compromised during a malicious cyber intrusion by implementing robust
technical controls and processes.
One of the greatest threats to the security of a network is the compromise of a workstation
used for IT administration. Providing a physically separate workstation with robust technical
controls in place to administrators responsible for critical assets, in addition to their
workstation used for unprivileged access, provides greater assurance that administrator
activities and credentials will not be compromised.
References
Nil. 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
49
P rinciples : C ryptography
Cryptography
Rationale
Cryptography is primarily used to restrict access to information to authorised users. First and
foremost, encryption improves confidentiality, providing protection to classified or sensitive
information by making it unreadable to all but authorised users.
More broadly, cryptography can also provide:
•
Data integrity: protecting information from accidental or deliberate manipulation. It
provides users with assurance that information has not been modified.
•
Authentication: ensuring that a person or entity is who they claim to be. A robust
authentication system is essential for protecting access to IT systems.
•
Non–repudiation: proof that a user performed an action, such as sending a message,
and preventing them from denying that they did so.
Using approved encryption does not reduce the consequences of a successful attack and, in
effect no real–world product can ever be guaranteed to be free of vulnerabilities.
DID
D I D YOU
YO U K N
NOW?
OW?
Before approving cryptographic algorithms for use, ASD conducts a meticulous evaluation of
those already scrutinised by industry and academic communities in a practical and theoretical
setting, which have not been found to be susceptible to any feasible attacks. However, there
can be no guarantee of security against presently unknown attacks. It is vital that agencies
remain aware of what is possible as the information technology environment continues to
develop and change.
A survey in 2008
conducted by the
Identity Theft Resource
Centre found that
82% of respondents
who had lost data
said that encryption
could have prevented
the data from being
compromised.
Using any cryptographic product, algorithm or protocol
is not sufficient in itself to adequately reduce the
likelihood of compromise. Unapproved or inappropriately
configured cryptographic algorithms and protocols can
carry a significant level of risk. In particular, installing
a cryptographic capability can increase security
confidence within an agency and change user behaviour
by promoting the view that more sensitive or classified
information is now able to be stored and communicated
securely. If this capability is poorly configured, it can lead
to an actual reduction in overall security, as the system
may be used to carry more sensitive information with
little to no genuine improvement to security.
Further, some common protocols have known impacts on other security operations, for
example, restricting an agency’s ability to inspect encrypted messages and attachments for
inappropriate content, or scan files for viruses and malicious code. To maximise the benefit of
cryptographic capabilities, agencies should only use ASD Approved Cryptographic Algorithms
and Protocols, ensuring that they are configured appropriately, and be aware of any known
restrictions or vulnerabilities.
50
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C ryptography
Scope
This chapter describes the use of ASD Approved Cryptographic Algorithms and Protocols to
encrypt information, and the management of cryptographic systems.
Principles
1.
Protecting Information at Rest
Maintain the confidentiality and integrity of classified or sensitive information at
rest using an appropriate ASD Approved Cryptographic Algorithm.
Encrypting information at rest can be used to reduce physical storage and handling
requirements, as well as maintain its confidentiality.
2.
Protecting Information in Transit
Maintain the confidentiality and integrity of classified or sensitive information in
transit using ASD Approved and appropriately configured Cryptographic Protocols
implementing an ASD Approved Cryptographic Algorithm.
Encrypting information in transit, using ASD Approved Cryptographic Protocols which
implement an ASD Approved Cryptographic Algorithm, can be used to protect classified or
sensitive information being communicated over unclassified or public networks. Unapproved
or incorrectly configured cryptographic protocols, in combination with an assumed level of
security confidence, can represent a significant security risk.
3.
Availability of Information
Ensure encrypted information is accessible to those that require it when they
require it by implementing appropriate procedures and controls for data recovery.
Cryptographic products which provide a means of data recovery can allow for retrieval of
information in circumstances where the encryption key is unavailable due to loss, damage
or failure.
4.
Management of Cryptographic Systems
Maintain the integrity of cryptographic systems, and hence the confidentiality and
integrity of the information being protected, by applying appropriate governance
and personnel and physical security measures.
Appropriate security measures are crucial in safeguarding cryptographic systems and their
material from compromise.
References
ASD Approved Cryptographic Algorithms and Protocols are listed in the Cryptography chapter
of the ISM Controls manual.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
51
P rinciples : N etwork S ecurity
Network Security
Rationale
DID
D I D YOU
YO U K N
NOW?
OW?
Agency networks can contain sensitive, classified and business–critical information and
services. Malicious actors look for ways to exploit weaknesses in an agency’s network to gain
unauthorised access, disrupt legitimate access, or modify such information and services. If
a malicious actor has limited opportunities to connect to a given network, they have limited
opportunities to compromise that network.
In 2011,
94% of
all data
compromised
involved
servers.23
Agencies can structure and configure their networks to reduce the
number of potential entry points that could be used by a malicious
actor to gain unauthorised access to information or disrupt agency
services.
It is also important to consider not just the risks from
vulnerabilities in an agency controlled network, but also in external
networks. For instance, when devices connect to non–agency
controlled wireless networks, particularly public wireless networks,
they may be exposed to viruses, malware or other malicious code
circulating on the network. If the device becomes infected and is
later connected to an agency controlled network then malicious code can enter the network
and steal sensitive information or disrupt the agency’s systems.23
Scope
This chapter describes the importance of securely deploying, configuring and managing
network devices and infrastructure.
Principles
1.
Network Management
Ensure all sections of an agency’s network comply with information security
policies, and that network vulnerabilities are identified and addressed, by adopting
appropriate network management practices.
Central management will help ensure that all sections of the network comply with information
security policies. Network documentation, that is updated as changes are made, will assist
system administrators to completely understand and adequately protect the network.
Appropriate intrusion detection and prevention mechanisms and the logging of network
activity, such as recording the occurrence of blocked emails or monitoring suspicious network
traffic, can assist agencies to prevent, detect and respond to cyber security incidents. Regular
audits, security reviews and vulnerability analysis activities can assist agencies in avoiding
security degradation over time as the information technology and threat environment evolves.
Transferring data between systems in a controlled and accountable manner can reduce the risk
of data spills and introduction of malicious code to a system.
23 McAffee Labs, McAffee Threats Report: First Quarter 2013, 2013.
52
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : N etwork S ecurity
2.
Network Design and Configuration
Reduce opportunities for a malicious actor to compromise or gain unauthorised
access to sensitive or classified information through the secure design and
configuration of agency networks.
Implementing strong network authentication controls and minimising unnecessary access
points (for instance, by disabling unused physical ports, filtering unnecessary content and
applying network access controls) will reduce the opportunities from which an attack could
be launched.
DID
D I D YOU
YO U K N
NOW?
OW?
Agencies should be aware of the inherent risks in connecting specific devices to a network.
For instance, softphones (software applications which allow a workstation to act as a VoIP
phone, such as Skype) can introduce additional vulnerabilities into the network as they do not
separate voice from data, as hardware–based IP phones do. This can provide a malicious actor
with access to an agency’s voice network via their data network.
During September and October 2012, a series of Distributed Denial of Service
(DDoS) attacks on U.S—based financial institutions prevented legitimate bank
customers from accessing their websites for hours in some severe cases. The
2013 Cisco Annual Security Report described these attacks as ‘premeditated,
focused, advertised before the fact, and executed to the letter.’ 24
When using wireless networks, network segregation, changing default settings, authentication,
encryption and securing devices used to access wireless networks will significantly reduce the
risk of compromise.24
Scanning imported data for malicious content reduces the risk of a system being infected, thus
maintaining its confidentiality, integrity and availability.
3.
Network Infrastructure
Maintain the confidentiality, integrity and availability of information by applying a
defence–in–depth approach to the secure deployment of network infrastructure.
Minimising network complexity and physically separating sections of a network can reduce the
number of potential access points that could be used to gain unauthorised access to sensitive
or classified information, and makes it difficult for an intruder to propagate once inside the
network. Physically or logically separating sections of a network can also help ensure the
availability of information and services when other sections of the network may have been
affected — by a Distributed Denial of Service attack for example (an attempt to flood networks
with unwanted traffic to disrupt or degrade services). Further, building redundancies into an
agency’s network, for example through the use of multiple internet links, can help increase the
complexity required for a successful Distributed Denial of Service attack, as well as increasing
the agency’s response options.
24Verizon, 2012 Data Breach Investigations Report, 2012.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
53
P rinciples : N etwork S ecurity
Separating sections of a network is essential to enable agencies to implement a defence–
in–depth approach to network security. Network segmentation is one of the most effective
methods to prevent a cyber intruder from propagating inside a network. If implemented
correctly, it can be significantly more difficult for an intruder to find and access their target
information and move undetected around the network. Logging functionality in network
segmentation technologies can prove extremely valuable in detecting an intrusion and, in the
event of a compromise, isolating a compromised device from the rest of the network.
References
Nil.
54
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : C ross D omain S ecurity
Cross Domain Security
Rationale
Connecting a security domain to another security domain, which includes connecting to the
Internet, poses significant risks to an agency’s information. Gateways and cross domain
security measures can mitigate these risks by securely managing data flows between different
security domains.
Applying robust security measures including content filters and firewalls to gateway systems
will reduce the risk of malicious content entering the security domain or information being
accessed by those unauthorised to do so. Physically locating all gateway components inside an
appropriately secure area also reduces the risk of unauthorised access to the devices. Further,
providing a sufficient logging and audit capability can assist an agency in detecting and
responding to cyber security incidents and attempted network intrusions, allowing the agency
to implement countermeasures to reduce the risk of future attempts.
Scope
This chapter describes the importance of securely transferring information to and from a
security domain through a gateway, including using cross domain solutions.
Principles
1.
Gateway Security
Protect the confidentiality, integrity and availability of information on agency
networks by appropriately deploying and configuring gateways.
Given the criticality of gateways in controlling the flow of information between security
domains, poor configuration or management of a gateway can have serious consequences,
potentially providing a malicious actor with access to an agency’s entire network.
2.
Cross Domain Security
Ensure the secure transfer of information between security domains with a high
level of assurance by implementing security–enforcing mechanisms.
Connecting systems with differing security policies poses significant risks. For classified
networks, using a cross domain solution comprising ASD evaluated products will help
protect the confidentiality, integrity and availability of information being transferred between
security domains.
3.
Maintenance and Review
Identify and mitigate security risks as early as possible by maintaining and regularly
reviewing gateway architecture. This includes undertaking routine testing and
regular security risk assessments and ensuring that any residual risks are accepted.
Changes to a security domain connected to a gateway can potentially affect the security
posture of other connected security domains.
References
Nil.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
55
P rinciples : D ata T ransfers and C ontent F iltering
Data Transfers and Content Filtering
Rationale
When data is moved from one security domain to another there is a risk of intentionally or
unintentionally causing a data spill or allowing malicious or unauthorised content to enter
a security domain. Two activities help reduce the risk of unauthorised or malicious content
transiting the boundary: implementing a data transfer policy which ensures that content leaves
a security domain in a secure manner and, applying content filtering which allows security
policies to be run on material entering and leaving a security domain.
Scope
This chapter describes the importance of performing data transfers and content filtering in a
secure manner.
Principles
1.
Data Transfers
Mitigate the risk of data spills of sensitive or classified information to systems not
accredited to handle the data by having a policy governing data transfers and a
procedure in place for authorising and importing or exporting the data to a system.
A data transfer authorisation system will not only hold users accountable for data they transfer
between systems but give agencies an opportunity to scan the data for malicious and active
content and check that the classification of the data is appropriate for the destination system.
2.
Content Filtering
Implement content filtering techniques to reduce the risk of unauthorised or
malicious content transiting a security domain boundary.
Blocking or allowing data transiting a security domain boundary based on its content can
increase the level of assurance that information transiting a security domain is legitimate
and benign. There are a number of techniques that may constitute content filtering, both to
prevent suspicious data and malicious content from entering a security domain and to restrict
the export of data to appropriate content.
References
Nil.
56
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : W orking O ff – S ite
Working Off–Site
Rationale
The use of mobile devices has become essential to everyday communication. Mobile devices
can provide employees with access to email, the Internet and even agency systems, allowing
them to work from home, an airport lounge or hotel room. They provide greater accessibility,
mobility, convenience and, importantly, efficiency.
While agencies should naturally embrace the potential of mobile devices, it is important to
understand and evaluate the risks associated with their use and how they impact an agency’s
security risk profile.
Once a mobile device leaves a controlled office environment, it also leaves behind the
protection that environment affords. Some of the best qualities of mobile devices, such as
their portability and capacity for use outside the office, have introduced new risks. The more
capable these devices are of helping users access and use data, the more capable they are of
being manipulated by malicious actors for the same end.
Poorly controlled mobile devices are particularly vulnerable to loss and compromise, and may
provide a malicious actor with an access point into an agency’s system. For instance, users
who access websites and web–based email from their mobile devices can make themselves
vulnerable to Internet–based threats, such as malware. The employee can then inadvertently
expose the corporate network to these threats when he or she connects to the agency’s
system from the same device. Further, agencies that allow business use of personal mobile
devices can introduce significant risks to their information, as personal devices often do
not have sufficient inbuilt security features enabled, such as authentication controls and
encryption. These risks apply equally for workstations installed for home–based work. Privacy
rights should also be considered by agencies permitting the use of personal devices for
business purposes, as access to records in the event of an incident can be restricted due to
privacy concerns.
Agencies must also consider their obligations under relevant legislation, such as government
data retention requirements under the Archives Act 1983.
It is important for agencies to identify the circumstances where the liability and security risks
of using mobile devices outweigh the benefits. In particular, mobile devices carrying highly
classified information should not be used outside of appropriately certified facilities, as the risk
of classified information being overheard or observed is considered too high.
Although mobile networking alters the risks associated with various threats to security,
the overall security objectives remain the same as with wired networks: maintaining
confidentiality, integrity and availability of systems and their information. To reduce the risks of
use, it is critical that agencies develop and implement policies to ensure users protect mobile
devices in an appropriate manner when they are used outside controlled facilities, and that
personnel working from home or outside the office protect information in the same manner as
in the office environment.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
57
P rinciples : W orking O ff – S ite
Scope
This chapter describes managing the use of mobile devices and accessing information from
unsecured locations and home environments.
Principles
1.
Acceptable Use
Prevent mobile devices from becoming a security risk to the system or network
they connect to by implementing, and educating personnel on, an effective mobile
device usage policy.
DID
D I D YOU
YO U K N
NOW?
OW?
Information being communicated via a mobile device outside a controlled facility can be more
easily overheard or observed by those not authorised to do so. An agency policy governing
the use of mobile devices can help build awareness of the elevated risks relating to their use,
and ensure confidentiality and integrity of information is maintained. Under an acceptable use
policy, personnel need to know the classification of information which the device has been
approved to process or communicate before use.25
A Symantec
study found a
25% increase in
the number of
vulnerabilities in
mobile devices
between 2011 and
2012.25
Using mobile devices for both personal and business
purposes can make them more susceptible to Internet–
based threats. For instance, during personal web–
browsing, personnel are more likely to open unidentified
links or visit unfamiliar sites, which can bring about the
spread of malware. Users also need to be aware that
mobile applications can contain malicious code or malicious
content that is installed along with the legitimate software.
Malware can provide an entry route into the associated
business network as well as access to information stored
or communicated on the mobile device.
Connecting mobile devices to an unknown or untrusted source (for charging or to provide
network connectivity) can also pose a security risk to an agency. For example, if a smartphone
is plugged into an unknown computer via a USB cable to charge, then the contents of the
device could be compromised or malware loaded onto the device. For the same reason,
agency users should not allow unknown or untrusted people to connect a mobile device to
their laptop.
2.
Mobile Device Configuration
Limit situations, or mitigate the consequences of situations, where a user loses
control over a mobile device by securely configuring the device and implementing
appropriate processes.
Most mobile devices have been designed for use outside the office and thus can be more
easily accessed or stolen. Emergency destruction procedures and lost device labels can help
reduce the risk of data spills when a mobile device is lost or compromised.
Proper encryption technology can enhance the security of information stored on a mobile
device and help protect sensitive or classified information being communicated wirelessly or
over unsecured public infrastructure from unauthorised access.
25 Symantec Corporation, Internet Security Threat Report 2013, 2013.
58
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
P rinciples : W orking O ff – S ite
3.
Wireless Communications and Connectivity
DID
D I D YOU
YO U K N
NOW?
OW?
Protect sensitive or classified information from unauthorised access by only enabling
wireless communications on a mobile device that are needed and can be secured.
4.
More than 200,000 mobile
phones are reported lost
or stolen each year in
Australia. This equates
to 4,000 each week, or
one mobile phone every 3
minutes.26
Wireless networks do not have the inbuilt physical
security of wired networks, providing malicious
actors with greater opportunities to connect to
agency networks remotely. The wireless transfer
of information, for instance through Bluetooth,
infrared or Wi–Fi, can serve as an illicit entry point
for an entire network. When using public wireless
access points, malicious actors can easily intercept
information being communicated, including secure
log–on details, using basic software available on
the Internet.
Upkeep and Maintenance
Maintain the integrity and confidentiality of the information stored or communicated
on a mobile device by conducting regular audits and security updates.
Although agencies may initially provide a secure mobile device, the state of security may
degrade over time. It is important for agencies to remain aware of new vulnerabilities as
the information technology environment evolves. Keeping security software up to date
will protect the mobile device from new variants of malware and viruses that threaten an
agency’s critical information.26
5.
Working From Home
Prevent systems or mobile devices from becoming a weak link in an agency
system’s security by ensuring that home environments used for business purposes
meet the minimum security requirements in the Australian Government Physical
Security Management Protocol of the Australian Government Protective Security
Policy Framework.
If sensitive or classified information is being accessed by personnel working from home,
specifically when information systems and devices are used, it needs to be afforded the same
protection as in the office environment.
References
Information relating to physical security is contained in the Australian Government Physical
Security Management Protocol of the Protective Security Policy Framework, which can be found
at www.protectivesecurity.gov.au.
For further information on working from home see the Australian Government Physical Security
Management Guidelines—Working Away From the Office, which can be found at
www.protectivesecurity.gov.au.
Information on enterprise mobility considerations can be found in ASD’s Protect publication
Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD) at
www.asd.gov.au.
26 Australian Mobile Telecommunications Association, FAQs on Mobile Security, found at www.amta.org.au.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
59
SUPPORTING
INFORMATION
61
S U P P O RT I N G I N F O R M AT I O N
Supporting Information
Glossary of Terms
TERM
MEANING
access control
Enabling the authorised use of a resource while preventing
unauthorised use or use in an unauthorised manner.
accreditation
A procedure by which an authoritative body gives formal
recognition, approval and acceptance of the associated residual
security risk with the operation of a system.
accreditation authority
The authoritative body associated with accreditation
activities. Advice on who should be recognised as an agency's
accreditation authority can be found in the Conducting
Accreditation section of the ISM Controls manual.
agency
Includes all Australian government departments, authorities,
agencies or other bodies established in relation to public
purposes, including departments and authorities staffed under
the Public Service Act 1999, the Financial Management and
Accountability Act 1997 or the Commonwealth Authorities and
Companies Act 1997.
agency head
The government employee with ultimate responsibly for the secure
operation of agency functions, whether performed in–house
or outsourced.
application whitelisting
An approach in which all executables and applications are
prevented from running by default, with an explicitly defined set
of executables allowed to execute.
audit
An independent review of validity, accuracy and reliability of
information contained on a system. In the context of conducting
system accreditations, an audit is an examination and
verification of an agency’s systems and procedures, measured
against predetermined standards.
Australiasian
Information Security
Evaluation
Program (AISEP)
A program under which evaluations are performed by impartial
companies against the Common Criteria. The results of these
evaluations are then certified by ASD, which is responsible for
the overall operation of the program.
authentication
Verifying the identity of a user, process or device as a
prerequisite to allowing access to resources in a system.
availability
The assurance that systems are available and accessible by
authorised entities when required.
62
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
certification
A procedure by which a formal assurance statement is given that
a deliverable conforms to a specified standard.
certification authority
An official with the authority to assert that a system complies
with prescribed controls in a standard.
classification
The categorisation of information or systems according to the
business impact level associated with information or a system.
classified information
Government information that requires protection from
unauthorised disclosure.
confidentiality
The assurance that information is disclosed only to
authorised entities.
cross domain solution
An information security system capable of implementing
comprehensive data flow security policies with a high level of
trust between two or more differing security domains.
cryptographic algorithm
An algorithm used to perform cryptographic functions such as
encryption, integrity, authentication, digital signatures or key
establishment.
cryptographic protocol
An agreed standard for secure communication between two or
more entities to provide confidentiality, integrity, authentication
and non–repudiation of information.
cyber security
Security measures relating to the confidentiality, availability
and integrity of information that is processed, stored and
communicated by electronic or similar means.
cyber security event
An identified occurrence of a system, service or network state
indicating a possible breach of information security policy or
failure of safeguards, or a previously unknown situation that may
be security relevant.
cyber security incident
A single or a series of unwanted or unexpected cyber security
events that have a significant probability of compromising
business operations and threatening information security.
Cyber Security Incident
Reporting scheme
A scheme established by ASD to collect information on cyber
security incidents that affect government systems.
data spill
The accidental or deliberate exposure of classified, sensitive
or official information into an uncontrolled or unauthorised
environment or to persons without a need–to–know.
emanation security
The countermeasure employed to reduce classified emanations
from a facility and its systems to an acceptable level. Emanations
can be in the form of radio frequency energy, sound waves or
optical signals.
declassification
A process whereby information is reduced to an unclassified state
and an administrative decision is made to formally authorise its
release into the public domain.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
63
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
Distributed Denial of
Service (DDoS)
The compromise of availability of IT systems, where multiple
systems are used to compromise the targeted systems.
firewall
A system designed to prevent unauthorised access to or from a
network or system.
gateway
Gateways securely manage data flows between connected
networks from different security domains. Refer to the Cross
Domain Security chapter of ISM Controls manual for further
information.
handling requirements
An agreed standard for the storage and dissemination of
classified or sensitive information to ensure its protection. This
can include electronic information, paper–based information or
media containing information.
hardware
A generic term for any physical component of information and
communication technology.
ICT system
A related set of hardware and software used for the processing,
storage or communication of information and the governance
framework in which it operates.
infrared device
Devices such as mice, keyboards, pointing devices and mobile
devices that have an infrared communications capability.
information security
The protection of information and information systems from
unauthorised access, use, disclosure, disruption, modification or
destruction in order to provide confidentiality, integrity
and availability.
Information Security
Registered Assessor
Program
An ASD initiative designed to register suitably qualified
information security assessors to carry out specific types of
security assessments, including for gateways and information
systems up to the SECRET classification level.
integrity
The assurance that information is unmodified.
malware
Malicious software used to gain unauthorised access to
computers, steal information and disrupt or disable networks.
Types of malware include logic bombs, trapdoors, Trojans,
viruses and worms.
media
A generic term for hardware that is used to store information,
such as USB sticks, portable hard drives, CDs and DVDs.
media destruction
The process of physically damaging the media with the objective
of making the data stored on it inaccessible. To destroy media
effectively, only the actual material in which the data is stored
needs to be destroyed.
media disposal
The process of relinquishing control of media when no longer
required, in a manner that ensures that no data can be recovered
from the media.
64
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
media sanitisation
The process of erasing or overwriting data stored on media so
the data cannot be retrieved or reconstructed.
metadata
Information that describes data. This can include how the data
was created, the time and date of creation, the author of the
data and the location on a network where the data was created.
mobile device
A portable computing or communications device with information
storage capability that can be used from a non–fixed location.
Mobile devices include mobile phones, smartphones, portable
electronic devices, personal digital assistants, laptops, netbooks,
tablet computers and other portable Internet–connected devices.
multifunction devices
The class of devices that combines printing, scanning, copying,
faxing or voice messaging functionality in the one device.
These devices are often designed to connect to computer and
telephone networks simultaneously.
need–to–know
The principle of telling a person only the information they require
to fulfil their role.
network device
Any device designed to facilitate the communication of
information destined for multiple users. For example:
cryptographic devices, firewalls, routers, switches and hubs.
network infrastructure
The infrastructure used to carry information between
workstations and servers or other network devices.
patch
A piece of software designed to fix problems with, or update,
a computer program or its supporting data. This includes fixing
security vulnerabilities and other program deficiencies and
improving the usability or performance of the software.
Protective Security Policy
Framework (PSPF)
Produced by the Attorney–General’s Department, the Australian
Government Protective Security Policy Framework sets out the
Australian Government’s protective security requirements for the
protection of its people, information and assets (replaced
the PSM).
product
Technology, whether hardware or software, which enables the
electronic storage, retrieval, manipulation, transmission or receipt
of information in a digital form.
reaccreditation
A procedure by which an authoritative body gives formal
recognition, approval and acceptance of the associated residual
security risk with the continued operation of a system.
risk
The chance of something happening that will affect objectives—it
is measured in terms of event likelihood and consequence.
risk acceptance
An informed decision to accept risk.
risk analysis
The systematic process to understand the nature, and deduce
the level, of risk.
2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L | P R I N C I P L E S
65
S U P P O RT I N G I N F O R M AT I O N
TERM
MEANING
risk appetite
Statements that communicate the expectations of an agency’s
senior management about the agency’s risk tolerance—these
criteria help an agency identify risk and prepare appropriate
treatments, and provide a benchmark against which the success
of mitigations can be measured.
risk management
The process of identifying risk, assessing risk, and taking steps
to reduce risk to an acceptable level.
risk mitigation
Actions taken to lessen the likelihood, negative consequences, or
both, associated with a risk.
residual risk
The remaining level of risk after risk treatments have
been implemented.
security domain(s)
A security domain is a system or collection of systems operating
under a security policy that defines the security to be applied
to information on the system or systems. That security may be
represented by a classification, caveat or releasability marking
with or across classifications.
sensitive information
Either unclassified or classified information identified as requiring
extra protections (e.g. compartmented or Dissemination Limiting
Marker information).
softphone
A software application that allows a workstation to act as a Voice
over Internet Protocol (VoIP) phone, using either a built–in or an
externally connected microphone and speaker (e.g. Skype).
system
A related set of hardware and software used for the processing,
storage or communication of information and the governance
framework in which it operates.
threat
Any circumstance or event with the potential to harm an
information system through unauthorised access, destruction,
disclosure, modification of data, and/or denial of service. Threats
arise from human actions and natural events.
user
An entity authorised to access an information system.
vulnerability
In the context of information security, a vulnerability is
a weakness in system security requirements, design,
implementation or operation that could be accidentally triggered
or intentionally exploited and result in a violation of the system’s
security policy.
wireless access point
A device which enables communications between wireless clients.
It is typically also the device which connects the wireless local
area network to the wired local area network.
workstation
A stand–alone or networked single–user computer.
66
P R I N C I P L E S | 2 0 1 4 I N F O R M AT I O N S E C U R I TY M A N U A L
asd.gov.au
ASD | REVEAL THEIR SECRETS—PROTEC T OUR OWN