Information Security Manual 2014 Principles

2014 Australian Government Information Security Manual

PRINCIPLES

2014 Australian Government Information Security Manual

PRINCIPLES

© Commonwealth of Australia 2014 All materia l pr ese nted in this publication is prov ide d under a Cr eati ve Commons Attrib ution 3.0 Austra lia licence. For the avoidance of doubt, this means this licence only applies to material as set out in this doc ument.

The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence. http://creativecommons.org/licenses/by/3.0/au/deed.en http://creativecommons.org/licenses/by /3.0/legalcode Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the D epartment of the Prime Minister and Cabinet’s website. http://www.dpmc.gov.au/guidelines/index.cfm Contact us Inquiries regarding the licence and any use of this document are welcome Austra lian Sign als Director ate PO Box 5076 Kingston ACT 2604 1300 CYBER1 (1300 292 371) [email protected]

at:

FOREWORD

Foreword In recent years, the Australian Government has made great advances in bringing its business online. The benets of government information and communications technology (ICT) systems and services becoming increasingly connected will continue as the government makes the most of new technologies. However, this new, connected way of doing business also crea tes opportunities for adversaries to gain an advantage by exploiting these technologies to access information of national importance. As our intrusion detection, response, mitigation and threat assessment capabilities continue to improve, so too do the skills of cyber threat actors. This requires us to be vigilant, exible and proactive in our approach to cyber and i nformation security . A strong security is not a trivial process — it requires ongoing vigilance and resources. By continually hardening our defences, we have a greater chance of protecting the information entrusted to us. The Australian Government Information Security Manual (ISM) comprises three complementary documents designed to provide greater accessibility and understanding at all levels of government. This Principles document details the guiding principles and rationale to assist senior decision makers in developing informed risk–based information security policies within their organisations. I commend you on your agency’s efforts to strengthen your cyber and information security and trust you’ll continue to keep security as an agency priority.

Dr Paul Taloni Director Austr alian Signal s Dir ector ate

2014 INFORMATION SECURITY MANUAL | PRINCIPLES

iii

iv

PRINCIPLES | 2014 INFORMATION SECURITY MANUAL

CONTENTS

Contents Foreword

iii

INFORMATION SECURITY: COUNTERING THE THREAT

1

The Threat Environment

2

Countering the Cyber Threat

6

The Australian Government Information Security Manual

8

ASD’s Role

10

PRINCIPLES

11

Information Security Risk Management

12

Roles and Responsibilities

14

Industry Engagement and Outsourcing

15

Information Security Documentation

17

System Accreditation

19

Information Security Monitoring

22

Cyber Security Incidents

24

Physical Security

27

Personnel Security

29

Communications Infrastructure

31

PSPF Mandatory Requirement INFOSEC 4 Explained

35

Product Security

37

Media Security

39

Software Security

42

Email Security

45

Access Control

47

Secure Administration

49

Cryptography

50

Network Security Cross Domain Security

52 55

Data Transfers and Content Filtering

56

Working Off–Site

57

SUPPORTING INFORMATION

61

Glossary of Terms

63


v

INFORMATION SECURIT Y: COUNTERING THE THREAT

1


Information Security: Countering the Threat The Threat Environment Advances in information and communications technology (ICT) are allowing for greater accessibility, mobility, convenience, efciency and productivity across a lmost all aspects of Australian life. Australia’s national security, economic prosperity and social wellbeing now depend on ICT, and the Internet in particula r. The security of sensitive government and commercial information, the security of our digital infrastructure, and public and international condence in Australia as a safe place to do business online are critical to our future. Because any Internet–connected device or computer system is highly susceptible to malicious cyber activity, our dependence on ICT also brings greater exposure to threats. The threat is not limited to classied systems and information. A wide range of institutions, both public and private, have been subjected to malicious cyber activities. Australia continues to be the target of persistent and sophisticated cyber exploitation activity by malicious actors. The most prevalent threat to Australian networks is cyber exploitation; that is, activity by malicious actors to covertly collect information from ICT systems. Australiaactivity is also designed threatened the degrade, possibilitydisrupt of cyber attack—offensive to by deny, or destroy information or ICT systems. 1

Tools and Techniques Malicious software (malware) is the main tool used to gain unauthorised access to computers, steal information and disrupt or disable networks. Since malware—along with instructions and guidance for its use—is readily available on the Internet, anyone with intent is able to access the tools and information needed to undertake malicious cyber activity. Examples of malware include trojans—programs which seem legitimate but provide malicious actors with a backdoor into systems—as well as spyware, a general term for programs that covertly monitor and collect information from a system. Information stolen can be used to craft targeted cyber intrusions, create false identities, or even facilitate access into more valuable commercial or government systems. Any computer compromised by malware has the potential to be invisibly conscripted into networks of compromised Internet–connected computers, known as botnets. Botnets are used to send spam, steal information, distribute malware and conduct attacks on a larger scale.

1

2

Symantec Corporation, Internet Security Threat Repor t 2013 , 2013.



A commonly used technique to spread malware is social engineering, in which malicious emails are tailored to entice the reader to open them. Unsuspecting users may be tempted to open malicious email attachments or follow embedded links to malicious websites—either action could lead to a compromise. These campaigns are becoming increasingly tailored and credible. Malicious emails often appear to be from someone the reader knows, such as their employer, colleague or friend. Some even have convincing– looking commercial logos and signatures and target a specic personal interest or a subject matter relevant to their work. Malicious websites can be equally convincing. They can masquerade as a legitimate site used by an individual, such as their personal banking website, in order to mislead them into revealing personal information. 2

Ac tor s The Australian Signals Directorate (ASD), through the Cyber Security Operations Centre (CSOC), communicates key assessments to government regarding the actors and trends observed in the Australian cyber threat environment.

Users Cyber exploitation and cyber crime are unintentionally enabled by everyday users at home, at work or on mobile computing devices. Many users still assume that responsibility for information security rests with the organisations with which they interact, such as banks and online retailers. However, even the best technical security measures can be defeated by inappropriate user behaviour. Some users, in particular individuals and small businesses, are more vulnerable due to a general lack of awareness of cyber threats and relatively low resources devoted to information security. Users are targets in themselves for cyber crimes such as fraud and identity theft. When compromised, users can also become unintentional ena blers of malicious cyb er activity. The increasingly interconnected nature of our private, public and work ICT means that malware accidentally downloaded on one system can quickly lead to the infection of other devices across different environments. Inadvertently visiting the wrong website or opening the wrong email attachment can have wider consequences, including the conscription of the device into a botnet—which can then be used to facilitate large–scale cyber crime or cyber attacks—or establish an access point into a connected personal, commercial or government system. 3

2 3

Symantec Corporation, Internet Security Threat Report 2013 , 2013. Sophos, Security Threat Report 2013, 2013.


3


Malicious Actors Australia is an attractive target for cyber exploitation due to its prominent role in the Asia–Pacic region and major international organisations, and its strong diplomatic, defence and intelligence relationship with the United States. Australia’s wealth, resource industries and niche expertise in some research and development elds also motivate actors to target Australia. Information collected through cyber exploitation could be used to gain aAustralia. relative economic, diplomatic or political advantage against It can also be used to bridge a technological gap. By stealing, for instance, intellectual property malicious actors are able to access new technologies while circumventing costly and lengthy research and development programs. Personal information gathered, such as nancial or medical records, could also be used to enable malicious activities through techniques such as social engineering. 4 State–sponsored actors work on behalf of a foreign entity and are the most active malicious adversaries ASD has observed. They are also the most sophisticated and best resourced adversaries. State–sponsored actors seek national security information to identify vulnerabilities in our cap abilities or to gai n a strategic advantage. However , malicious activity often has an economic focus, with targeting of Australia’s commercial sectors (for example, the resources, banking and telecommunications sectors) also prevalent. Issue–motivated groups often seek to disrupt and embarrass governments, international organisations and multinational corporations in an expression of anti– establishment protest. These groups typically undertake acts in response to specic controversial events or incidents, or to coincide with signicant dates or major events. Loosely coordinated international hacker groups, such as Anonymous and LulzSec, have gained notoriety and demonstrated their intent and capability to conduct cyber attacks and data theft against a wide variety of high‑prole targets, including Australian government agencies. Citing a range of idealistic motivations, such as ghting for individual freedoms, calling for government transparency and opposing censorship, as well as simply for malicious ‘fun’, the groups often exploit common and relatively unsophisticated techniques to achieve their aims. For the most part, these attacks have been embarrassing and inconvenient; however , the disclosure of se nsitive commercial or government information can threaten national interests, for example through the loss of consumer condence in Australia’s digital economy. 5

4 5

4

McAffee Labs, McAffee Threats Report: Second Quarter 2013 , 2013. Australian Competition Consumer Commission , Targeting Scams: Report of the ACCC on scam ac tivity in 2012, 2013.



Cyber criminals are following legitimate businesses online to create new opportunities for prot. The nature of the Internet—borderless, anonymous, easily accessible and holding high volumes of nancial, commercial and personal information—has boosted the incentives for committing cyber crime and allowed its organisation to become more audacious, efcient and effective. A prolic and increasingly professional underground market of malicious cyber tools and services exists on the Internet. This market includes the sale or hire of criminal malware and botnets, guidance, recruitment and trading in stolen information such as credit card details and intellectual property. Criminals are becoming less content with simple, indiscriminate spam and fraud attempts, and are developing sophisticated, customised malware that targets emerging technologies, social media and mobile computing devices. The last few years have also seen a proliferation of target–specic malware aimed at, for example, particular banks, types of ATMs and nancial exchanges.

Conclusion The incentives for, and capability to conduct, malicious activity in cyberspace will be enhanced by a combination of observed trends. Motivation is increasing. Australia’s increasing reliance on the Internet is leading to more high–value information being stored and communicated on Australian government and commercial networks. This is boosting the incentive to undertake cyber crime or exploitation for direct monetary prot or indirect economic and political advantage. Capability is easier to acquire. Acquiring a cyber capability is becoming easier with increasingly sophisticated tools, information, and guidance readily available online. New technologies will generate new vulnerabilities. The proliferation of new technologies will increase the number of potential vulnerabilities. Of note, the growth in cloud computing and expanding use of mobile computing devices, such as smartphones, laptops and tablet computers, will generate more platforms—with distinct software, settings and applications—and more users to exploit. The spectrum of malicious actors is expanding. The ease of acquiring a cyber capability coupled with the potential high gains—whether nancial, economic, diplomatic or political—is enticing more actors into ma licious cyber activity.


5


Countering the Cyber Threat Malicious cyber activity will continue to challen ge Australia’s national security, economic prosperity and social wellbeing. As cyber threats become increasingly sophisticated and targeted, cyber security incidents can have signicant and direct impacts on organisations. However, properly assessing the security risks specic to your organisation can help to minimise your vulnerability to cyber threats.

Questions Senior Managemen

t Need to Consider

Are you condent that your networks are not currently compromised? Is the security culture of your organisation a strength or a weakness? Here are ve questions you should discuss with your information security team to review your organisation’s security measures. What would a serious cyber security incident cost our organisation? Good information security is like an insurance policy. Good security can avoid direct costs of clean–up and also indirect costs such as downtime, lost productivity and loss of reputation and condence in your organisation. If customer records, nancial data or intellectual property were stolen, could you quickly and accurately determine what was lost? What if you had to take a system ofine to conduct a forensic or legal investigation? Who would benet from having access to our information? Your i nforma tion is va luable . There are many state and non–state actors who would benet from having access to your agency’s information. Identify critical information, the condentiality , integrity and the availability of which is essential to the ongoing function of your organisation. It is important to consider the aggregated value of your information, not only the value of individual records. Every organisation faces different threats and security risks, and needs to deal with them in different ways. What makes us secure against threats? Security is an ongoing process, not a product. As cyber intrusions become more sophisticated and targe ted, so do information securi ty techniques and processes. To secure your organisation against threats, make sure appropriate security governance, clearly dened policy, user education and third party assessments are in place, as they are all vital parts of information security . There is no silver bullet for information security and security products alone are not a solution. Is the behaviour of my staff enabling a strong security culture? Staff education is key. It only takes one malicious email attachment to be opened or one malicious website to be accessed to potentially compromise your whole business. Effectively trained staff enable a strong security culture. Responsibility for information is shared amongst all members of your organisation, so all staff should be aware of the threat to reduce the security risk of valued information being stolen.

6



Are w e read y to respond to a cyber securi ty i nciden t? Will a compromise affect your continuity? Sadly, many organisations generally do not take information security seriously until they have been compromised. Your systems could be taken ofine by an attack, for example through a Denial of Service attack (an attempt to ood networks with unwanted trafc to disrupt or degrade services), affecting the availability and resilience of your network. Having access to current threat information, including the likelihood and consequences, will enable informed risk assessments. By assessing the risk and allocating adequate resources to protect your information security assets, your organisation can build a stronger security foundation and improve resilience. Most organisations conduct re drills—perhaps it’s also time to test your resilience against a serious cyber security incident.


7


The Australian Government Information Security Manua l The ISM, issued by ASD, is the Government’s agship product designed to assist Australian government agencies in applying a risk–based approach to protecting their information and ICT systems. This manual supports the guiding principles and strategic priorities outlined in the Australian Government Cyber Security Strategy by providing detailed information about the cyber security threat, as well as assisting agencies in determining appropriate controls to protect their information and systems. While there are other standards and guidelines designed to protect information systems, the advice in the ISM is specically based on activity observed by ASD on Australian government networks.

Format The ISM is comprised of a high level ‘principles based’ document and a detailed Controls manual, further complemented by an ‘Executive Companion’. This format is designed to be more accessible to a wider audience across all levels of government to improve awareness of information security issues. This product suite targets different areas of your agency to ensure that key decision makers across government are made aware of and involved in countering threats to their information and ICT systems.

l a u n a M y ti r u c e S n o ti a m r fo n I

Executive Companion Information Security Principles

Information Security Controls Device Speciﬁc Guides Protect Publications Australian Communication Security Instructions

8



These products are designed to complement each other and provide agencies with the necessary information to make informed decisions based on their own business requirements, specic circumstances and risk appetite. The Executive Companion is targeted towards the most senior executives in each agency, such as Deputy Secretaries, Secretaries and Chief Executive Ofcers, and comprises broader strategic messaging about key information security issues. The Principles document is aimed at Security Executives, Chief Information Security Ofcers, Chief Information Ofcers and senior decision makers across government and focuses on providing agencies with a better understanding of the cyber threat environment and rationale to assist agencies in developing informed information security policies within their organisations. The Controls manual is aimed at IT Security Advisors, IT Security Managers and security practitioners across government. This manual provides a set of detailed controls that, when implemented, will help agencies adhere to the higher level Principles document. ASD information security policies and guidance produced in addition to this manual may address device and scenario–specic security risks to government information and systems. Not all ISM requirements can be implemented on all devices or in all environments. Where stipulated, these take precedence over the platform non–specic advice in this manual. ASD produces information security policies and guidance in addition to this manual, such as Australian Communications Security Instructions (ACSI), consumer guides, hardening guides and Protect publications.

Compliance The ISM provides agencies with a set of detailed controls that can be implemented to mitigate risks to their information and systems. Agencies are encouraged to make informed, risk–based decisions specic to their unique environments, circumstances and risk appetite. There are two categories of compliance associated with the controls in this manual—‘must’ and ‘should’. These compliance requirements are determined according to the degree of security risk an agency will be accepting by not implementing the associated control. ASD’s assessment of whether a control is a ‘must’ or a ‘should’ is based on ASD’s experience in providing cyber and information security advice and assistance to the Australian government and reect what ASD assesses the risk level to be. Agencies may have differing risk environments and requirements, and may have other mitigations in place to reduce the residual risk to an acceptable level.


9


ASD’s Role What ASD can do for you As directed by the Intelligence Services Act 2001 , ASD provides foreign signals intelligence as well as advice and assistance on matters relating to the security and integrity of electronic information. These twin missions comp lement each other , with the skillsets and capabilities required to be an expert at one b eing precisely those required to master the other. It is the same reasoning why Australia’s signals intelligence and information security functions were co– located in the Defence Signals Bureau—the forerunner of ASD—more than 60 years ago. As the Commonwealth authority on information security, and informed by its signals intelligence expertise and capabilities, ASD can provide agencies with advice and assistance as well as further information on the cyber threat. ASD conducts a number of workshops and forums with IT Security Advisors throughout the year to facilitate open discussion on countering the cyber threat. These discussions focus on the challenges faced by Australian government agencies in protecting their information and systems. The CSOC, located in ASD, provides coordinated operational responses to cyber security incidents of national importance. The CSOC is a resource designed to serve all government agencies and has embedded representation from the Australian Defence Force, Defence Intelligence Organisation, Australian Security Intelligence Organisation, Australian Federal Police and CERT Australia.

What you can do for ASD Successfully protecting Australian networks from an increasingly sophisticated and persistent cyber threat requires strong collaboration. While ASD can provide technical advice and assistance, we can not tackle this challenge alone. Reporting of cyber security incidents provides ASD with greater visibility of the threat environment and assists in the prevention of cyber intrusions on Australian government networks. While the information in the ISM is extensive, it represents advice at a point in time as technology and the threat environment continue to evolve. Please keep us informed on how we can continue to provide tailored advice that best meets the needs and requirements of your agency. ASD will focus on providing advice according to where it is most needed.

Contact For all urgent and operational enquiries: • Phone 1300 CYBER1 (1300 292 371) and select 1 at any time. • Fill out a cyber security incident report form on the OnSecure website (www.onsecure.gov.au ). For all non–urgent and general enquiries: • Phone 1300 CYBER1 (1300 292 371) and select 2 at any time. • Use the Advice and Assistance form on the OnSecure website. Australian Government– sponsored customers who do not have an OnSecure account should apply for one. • Email: [email protected] .

10


PRINCIPLES

11

PRINCIPLES: INFORMATION SECURITY RISK MANAGEMENT

Principles Informatio n Security Risk Manag ement Rationale Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The ISM is designed as a tool to assist Australian government agencies to risk–manage the protection of their information and systems. It represents best practice in mitigating or minimising the threat to Australian government systems. However , there is no one–size–ts–all approach to information security. T aking a risk ma nagement approach to i nformation security provides agencies with the exibility to allow for differences in their environment when making security decisions. Agencies will have different security requirements, business needs and risk appetites from one another . It may not be possible or app ropriate for an agency to implement all security controls included in the Controls manual. Information security risk management requires agencies to understand the security risks they face, to make informed d ecisions when using technolog y. Understanding the risk environment specic to your agency will also enable greater exibility and adaptability in responding to changes to that environment as the threat landscape evolves.

Scope This chapter describes the expectations on Australian government agencies in taking a risk management approach to information security .

Principles 1.

Requirement to Adopt a Risk Management Approach

Provide accountable authorities with a holistic understanding of their security posture by incorporating information security into an agency’s broader risk management practices. It is a mandatory requirement of the Australian Government Protective Security Policy Framework that agencies adopt a risk management approach to cover all areas of protective security across their organisation. Since an agency’s risk owner is accountable for an information or cyber security incident, it is important they are made aware of any residual risks to agency information and systems through a formal approval process. Information security should therefore be incorporated into an agency’s broader risk management practices.

12


PRINCIPLES: INFORMATION SECURITY RISK MANAGEMENT

2.

Information Security Risk Management Process

Implement a risk management approach to information security by identifying, analysing, evaluating and, where appropriate, treating security risks to information and systems. Risk management allows agencies to balance the operational and economic costs of information security measures with the need to protect the information and systems that support their organisational functions. The process of identifying, analysing and evaluating information security risks can help agencies select security controls suitable for their unique business environments. Risks deemed unacceptable are treated by implementing appropriate security measures. Risks deemed acceptable, as well as any residual security risks, are formally accepted by an appropriate authority. The ISM communicates potential information security risks faced by Australian government agencies. It can assist agencies in understanding the consequences of non–compliance with advised security controls and whether such non–compliance presents an acceptable level of risk. The ISM Controls manual provides guidance on appropriate risk mitigation strategies. As a whole–of–government policy document, the advice in the ISM is necessarily device and agency non–specic. Not all ISM requirements can be implemented on all devices or in all environments. In these cases, device–specic advice issued by ASD may take precedence over the advice in the ISM. Agencies should familiarise themselves with other documentation suites issued by ASD. Relevant documentation is referenced in each section of the ISM Controls manual.

References Further information on risk management and protective security requirements can be found in the Australian Government Protective Security Policy Framework , available at www.protectivesecurity.gov.au . For further guidance please refer to the Australian Standard for Risk Management AS/NZS ISO 31000:2009, the Australian Standards HB 167:2006 Security risk management and HB 327:2010 Communicating and consulting about risk. The Protective Security Training College, managed b y the Attorney–General’s Department, provides formal training opportunities on the subject of security risk management: www.ag.gov.au/NationalSecurity/ProtectiveSecurityTraining/Pages/default.aspx .


13

PRINCIPLES: ROLES AND RESPONSIBILITIES

Roles and Responsibilities Rationale Managing information security at the senior executive level provides agencies with strategic–level guidance that ensures compliance with national policy, standards, regulation and legislation. Further , senior support be st ensures an agency ’s ability to restore business–critical services to an operational state in the event of a disaster. Duties should be assigned to individuals with an appropriate level of authority, access to information and resources, technical expertise and time to dedicate to meeting these responsibilities. Agencies should also ensure there is sufcient separation of duties to provide quality assurance and avoid any actual or perceived conict of interest. 6

Scope This chapter describes roles and responsibilities concerning information security.

Principles 1.

Visibility

Provide personnel, including decision makers, with sufcient information to perform their duties by adopting a robust and effective governance framework. An effective information security governance framework will provide decision makers with a current, accurate and holistic understanding of the threat environment, enabling them to make informed risk–based decisions in relation to information security. It is also important to ensure that this information is passed to system owners and stakeholders and that it is considered during accreditation activities. 2.

Accountability

Ensure duties are undertaken at an appropriate level and conducted accountably by adopting a governance framework with clearly dened roles and responsibilities. A strong governance framework will promote accountability and ensure that all duties are appointed to individuals with an appropriate level of authority. 3.

Probity

Reduce the likelihood of an actual or perceived conict of interest by maintaining clear separation of duties. The separation of duties can prevent an actual or perceived conict of interest. For instance, there can be a conict of interest in a system owner assessing the security of their own system.

References Nil. 6

Ponemon Institute, 2009 Annual Study: Cost of a Data Breach — Underst anding Financial Impact, Customer Turnover and Preventative Solutions , 2010.

14


PRINCIPLES: INDUSTRY ENGAGEMENT AND

OUTSOURCING

Industry Engagement and Outsourcing Rationale Outsourcing can be a cost–effective option for providing information technology services and functions in an agency, as well as potential ly delivering a superior service. However , it can also affect an agency’s risk prole and control over its threat environment. Storing data in multiple disparate locations and allowing more people to access agency information can signicantly increase the potential for network infection and information loss or compromise. Cloud computing—abstracted, scalable ICT infrastructure that can be leased to customers on a ‘pay as you go’ basis—will be one of the most signicant shifts in ICT in the next decade. Circumventing the need for infrastructure management has clear nancial and operational benets for agencies. However , due to the Internet–connected nature of cloud computing, any data stored on this type of network is vulnerable to malicious cyber activity. Moreover, the physical data storage location— and the people responsible—will not necessarily be known to the customer. This di minishes customer control over threat mitigation and response and increases the threat from malicious insiders. The Attorney–General’s Department has produced a document outlining the Australian Government Policy and Risk management the storage and p rocessing of Australian Government information in outsourcedguidelines or offshorefor ICT arrangements . This guidance should be consulted in addition to ASD’s Cloud Computing Security Considerations , when considering outsourcing agency ICT functions. 7

Scope This chapter provides information on outsourcing information technology services and functions to industry, as well as providing them with access to information in order to undertake their duties.

Principles 1.

Industry Engagement and Outsourcing

Maintain the condentiality, integrity and availability of information by ensuring agency approved security measures are implemented by service providers handling agency information, and that sensitive or classied information remains within Austr alian border s at all t imes. Ensuring that service provider systems are located in Australia and are accredited to the same minimum standard as the sponsoring agency’s systems provides assurance that sensitive or classied information is receiving an appropriate level of protection. The risk of a malicious actor accessing agency information greatly increases if the information is stored or transmitted outside Australian borders. 7

Ponemon Institute, Cost of a Data Breach Study , 2012. 2014 INFORMATION SECURITY MANUAL | PRINCIPLES

15

PRINCIPLES: INDUSTRY ENGAGEMENT AND OUTSOURCING

References Additional information regarding cloud computing security considerations can be found on the ASD website at www.asd.gov.au/infosec/cloudsecurity.htm . The Australian Government Information Management Ofce (AGIMO) is the lead agency for whole–of government policy on cloud computing. Relevant documentation can be found at www.nance.gov.au/ cloud/. The Attorney–General’s Department’s Australian Government Policy and Risk management guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT arrangements can be found at www.protectivesecurity.gov.au/informationsecurity/Pages/Supporting-guidelines-toinformation‑security‑(including‑the‑classication‑system).aspx . Better practice guidance developed by the Attorney–General’s Department can be found in Security of Outsourced Services and Functions at www.protectivesecurity.gov.au.

16


PRINCIPLES: INFORMATION SECURITY DOCUMENTATION

Info rmation Security

Documentation Rationale

Documentation is vital to any information security regime, as it supports the accurate and consistent application of policy and procedures within an agency. Documentation also provides increased accountability and a standard against which compliance can be measured. The following suite of documents forms the Information Security Management Framework, as mandated in the Australian Government Information Security Management Protocol of the Australian Government Protective Security Policy Framework : 1.

Information se curity policy. To set the strategic direction for an agency’s information security and allow management to communicate its goals and expectations.

2.

Security risk management plan. To identify security risks and appropriate mitig ation measures for systems and determine a risk tolerance threshold, ensuring risks are able to be managed in a coordinated and consistent manner across an agency.

3.

System security plan. To ensure specic security me asures for the implementation and operation of a specic system are adequately communicated and considered.

4.

Standard operating procedures. To assist personnel to follow security procedures in an appropriate and uni form manner, with a minimum l evel of confusion.

5.

Incident response plan. To communicate which actions to take in response to a cyber security incident, with sufcient exibility, scope and detail to address the majority of

6.

7.

incidents which could arise. Emergency procedures. To ensure information and systems are properly secured before personnel evacuate a facility, as emergency situations can be exploited as an opportunity for a malicious actor to gain access to systems. Business continuity and disaster recovery plans. To help maintain securi ty in the face of unexpected events and changes by ensuring critical functions continue to operate when a system is working in a degraded state or reducing the time between when a disaster occurs and critical functions being restored. 8

To avoid confusion and ensure information security policy and procedures are properly applied, it is essential that all documents work in concert with, and not contradict, each other . Clear and logical wording will ensure the documents are easy to use and, consequently, effective.

8

CISCO, Annual Security Report , 2008.


17

PRINCIPLES: INFORMATION SECURITY DOCUMENTATION

The cyber threat environment is dynamic—so too are agency business requirements. If an agency fails to keep its information security documentation current through regular reviews to reect the changing environment, their security measures and processes may cease to be effective. In that situation, resources could be devoted to areas that have reduced effectiveness, or are no longer relevant.

Scope This chapter describes the development of information security documentation for systems.

Principles 1.

Information Security Documentation

Apply agency polic y and proced ures c onsis tently and a ccount ably by a dopting a comprehensive suite of information security documentation, which is regularly reviewed and tailored to specic systems and user roles. An appropriate and interconnected suite of information security documentation assists in the proper, consistent and accountabl e application of policy and procedures within an agency. Agencies need to communicate new or altered policies and procedures to stakeholders to ensure they are properly implemented.

References Information on the development of security risk management plans can be found in the Information Security Risk Management Guidelines available from Standards Australia at www.standards.org.au . Information relating to the Information Security Management Framework is contained in the Australian Government Information Security Management Protocol of the Australian Government Protective Security Policy Framework , which can be found at www.protectivesecurity.gov.au .

18


PRINCIPLES: SYSTEM ACCREDITATION

System Accreditation Rationale Accreditation is the process by which an appropriate authority formally recognises and accepts that residual risks on a system are appropriate for the classication of the information that it processes, stores or communicates. Agencies must accredit all systems before they can be put into operation. Accreditation provides agencies with assurance that either sufcient security measures have been put in place on their systems or deciencies in such measures have been accepted by an appropriate authority. The following diagram shows, at a high level, the process of accreditation: System Owner

Accredit ation Author ity

Certication Author ity

Assesso r

Requests accreditation

Requests reaccreditation

Requests certication Requests audit Conducts rst stage audit

Implements controls Conducts second stage audit Assess audit report and residual risk

Awards certication Assesses certication report

Assesses risk and residual other factors

Awards accreditation Operates system


19


The accreditation process does not only apply to new systems. It is important that systems are reaccredited as the information technology and cyber threat environments continue to evolve. Performing regular accreditation facilitates understanding of a current system's security environment and provides assurance that information systems are of a standard that meet the agency’s security requirements. Once a system has been accredited, conducting continual monitoring activities will assist in assessing changes to its environment and operation to determine the implications for the risk prole and accreditation status of the system. When accrediting a system, it is also important to remain aware of legislative and policy requirements if a system is connecting to another party. Agencies should ensure they are aware of the security measures the other party has implemented to protect their information, and accept any risks associated with connecting to such systems. Further , it is vital tha t Australian citizens maintain control of systems that process, store and communicate Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information.

Scope This chapter describes the accreditation framework for systems and agencies’ responsibilities.

Principles 1.

Accreditation Framework

Ensure that an appropriate level of security is being applied to agency systems, and that any residual risks have been accepted, by adopting a robust accreditation framework. An appropriate accreditation framework will comprise clear lines of accountability and a segregation of roles and responsibilities to provide agencies with an impartial mechanism to assess the security of their systems. 2.

Conducting Audits

Certify agency systems under the accreditation framework by conducting impartial audits. The aim of an audit is to review the system architecture (including the information security documentation) and assess the actual implementation, appropriateness and effectiveness of controls for a system. Audits are typically undertaken by Information Security Registered Assessors. The outcome of an audit is a report to the certication authority describing areas of compliance and non–compliance for a system and any suggested remediation actions. The compliance report helps the certication authority assess the residual risk relating to the operation of a system following the audit and any remediation activities the system owner may have undertaken. 3.

Conducting Certications

Independently verify the integrity and accept the outcome of an audit by certifying a system as part of the accreditation framework.

20



Certication provides the accreditation authority with information on the security posture of a system. This allows the accreditation authority to make an informed decision on whether the residual risk of allowing the system to operate is acceptable. The certication authority is typically the ofcer responsible for overseeing information technology security management across the age ncy. However, ASD acts as the ce rtication authority in the case of TOP SECRET systems. Certication for a system will be awarded once a certication authority is satised that the system has been appropriately audited and the controls identied by the system owner have been implemented and are operating effectively. The certication authority can then make a recommendation to the accreditation authority on whether to award accreditation or not based on an assessment of the residual risk relating to the operation of the system. 4.

Conducting Accreditations

Acce pt tha t the resid ual s ecurit y ris ks on an ag ency syst em are approp riate for t he information it processes, stores or communicates by accrediting the system before being put into operation. Accreditation of a system ensures that either sufcient security measures have been put in place or that deciencies in such measures have been accepted by an appropriate authority. An accreditation authority awards approval to operate the system and is typically the agency head or at least a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The exception is for TOP SECRET systems, for which ASD is the a ccreditation authority .

References Policy and Procedures for the Information Security Registered Assessor Program contains a denition of the range of activities Information Security Registered Assessors are authorised to perform. It can be obtained from ASD’s website at www.asd.gov.au/infosec/irap.htm .


21

PRINCIPLES: INFORMATION SECURITY MONITORING

Info rmatio n Security Monitori ng Rationale Information security is a continual process, one that extends beyond ensuring that a system is secure at the time of deployment. Vulnerabilities can be introduced into a system through poor design, planning, implementation, change management or maintenance, as well as through changes in technology or attack vectors. Unmitigated vulnerabilities provide the means for a malicious actor to compromise systems and information. Information security monitoring practices can help ensure that new vulnerabilities are addressed and security is maintained through unforeseen events and changes, whether internal to the system or in the system’s operating environment. Such practices allow agencies to be proactive in identifying, prioritising and responding to risks. Measures to monitor and manage vulnerabilities in, and changes to, a system can provide an agency with valuable information about its level of exposure to threats, as well as assisting agencies in keeping up to date with industry and product advances. 9

Scope This chapter describes the importance of vulnerability management activities and robust change management processes.

Principles 1.

Vulnerability Management

Maintain the security posture of systems by implementing appropriate vulnerability management practices. Vulnerability management activities, such as regular vulnerability assessments, analysis and mitigation, assist in maintaining system security as threat environments change over time. Vulnerability assessments allow agencies to identify security weaknesses caused by miscongurations, bugs or aws. Once a vulnerability is detected, an agency is able to determine a way forward through vulnerability analysis, assessing the vulnerability’s potential impact and available mitigation strategies. Vulnerability mitigation is the process of applying the chosen mitigations in an effective and timely manner in order to eliminate or minimise the risk.

9

22

Auditor General of Western Australia, Information Systems Audit Report (Report 4)


, June 2011.

PRINCIPLES: INFORMATION SECURITY MONITORING

2.

Change Management

Ensure an agency’s approved security risk threshold is maintained when implementing system changes by applying appropriate change management processes. Implementing changes to a system can impact upon its overall risk. A sound change management process ensures changes are made in an accountable manner with due consideration and with appropriate approval. It also provides agencies with the opportunity to, if necessary, initiate a reaccreditation process or apply vulnerability management practices, minimising the risk of system security degrading over time.

References Nil.


23

PRINCIPLES: CYBER SECURITY INCIDENTS

Cyber Security Incidents Rationale Cyber security incidents have the potential to cause signicant damage to agency business functions or to the broader government and can result in nancial loss, loss of customer condence and negatively impact the reputation of an agency or government. Agencies can lessen the impact, and the immediate and long term response costs, of a cyber security incident by investing in effective measures to detect, prevent, report and manage cyber security incidents. Such measures can help identify gaps in information security policies and procedures, and assist in the development of additional measures required to prevent future incidents occurring. The development of a robust cyber security incident management and response plan positions an agency to detect threats and respond swiftly and appropriately in the event of a cyber security incident. Having sound and up to date knowledge of the affected system will enable an agency to quickly identify the cause and extent of the incident and restore the system to an operational and secure state as soon as possible. 10 Additionally, actively monitoring the cyber security threat environment and actioning advice provided by ASD will assist in evolving agency understanding of the cyber threat and help inform agency incident response planning. Users of an agency system should be considered an important and integrated element of any agency’s cyber securi ty detection and response strategy. Many potential cy ber security incidents are noticed by users before security staff are alerted by technical measures. For this to happen, users must receive training on information security, including how to recognise a nd respond to potential cyber incidents, and be provided with a process to report any observed or suspected security incidents. In addition, users need to be aware of how to respond to incidents in an appropriate manner. This can assist an agency in recording all cyber security incidents—particularly those which a security manager or system owner fail to notice—as well as ensuring that any digital evidence relating to an incident is managed so that it remains accessible and usable for as long as it is needed. This includes ensuring that metadata about the digital records, who used them, and how they were used is retained.

Scope This chapter describes the detection, reporting and management of cyber security incidents.

10 Ponemon Institut e, 2011 Cost of a Data Breach Australia , 2012.

24



Principles 1.

Detection

Reduce the impact and time taken to resolve cyber security incidents by implementing proper procedures and appropriately congured technical measures. Early cyber security incident detection allows for early response and resolution. Detection tools and procedures work to mitigate the most common methods of attack used to exploit systems. Measures for detecting cyber security incidents include intrusion detection strategies, malicious code countermeasures, audi t analysis and system integrity checking. However , automated tools are only as good as the analysis they provide. If tools are not adequately congured to assess potential security risks then it will not be evident when a weakness emerges. Additionally, regular updates to detection tools to include new known vulnerabilities will help avoid a degradation in their effectiveness over time. 2.

Reporting

Maintain an up to date and accurate understanding of the cyber threat environment specic to your network and contribute to the overall cyber threat picture by implementing internal and external cyber reporting procedures. Robust measures for reporting cyber security incidents can provide management with a means to assess the overall damage to a system and to take remedial action, including seeking advice f rom ASD if necessary. 11 The ASD–established Cyber Security Incident Reporting Scheme assists in maintaining an accurate threat environment picture for systems across government. ASD uses cyber security incident reports as the basis for recognising trends, identifying and responding to incidents, and for developing new policies, procedures, techniques and training to prevent the recurrence of similar incidents across government. Reporting cyber security incidents to ASD through the appropriate channels ensures proper and timely assistance can be provided. Reporting any cyber security incident involving the loss or misuse of cryptographic keying material is critical, as system users rely on this technology for the condentiality and integrity of their secure communications. 3.

Management

Enable necessary information to be retained to resolve current, or mitigate future, cyber security incidents by implementing appropriate management procedures. Proper management of cyber security incidents—such as recording incidents, designating responsibilities, handling and containing data spills and malicious code infections, and securing the integrity of evidence—can help resolve current and prevent future occurrences. Recording cyber security incidents can highlight the nature and frequency of incidents, to assist in taking corrective action and informing future risk assessments for systems.

11 Verizon, 2012 Data Breach Investigatio ns Report , 2012.


25


Using the information gained during an incident can better prepare an agency for handling future incidents and provide stronger protection for systems and information. Maintaining the integrity of evidence—such as logs, audit trails and other detection tool outputs—after an incident ensures better assistance can be provided. Protecting digital evidence is not only important for investigations leading to criminal prosecution, but is vital to ASD when responding to and i nvestigating cyber security incid ents. Moreover, agencies are required under the Archives Act 1983 to retain records such as event logs and audit trails for specic minimum periods.

References Further information on minimum retention periods for Commonwealth records is provided in the National Archives of Au stralia’s Administrative Functions Disposal Authority, which can be found at www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx .

26


PRINCIPLES: PHYSICAL

SECURITY

Phy sical Securit y Rationale Physical security is fundamental to all security efforts. Without adequate physical security controls, all other information security measures are considerably more difcult, if not impossible, to initiate. Physical security requires that equipment and infrastructure be safeguarded in a way that minimises the risk of resource theft, destruction or tampering, for example by limiting access to areas housing network infrastructure. Physical security can not only assist in preventing malicious damage, but also reduces the risk of accidents and inadvertent errors affecting a system. A single layer of physical security, such as an identication pass that allows building access, is insufcient to mitigate the risk of compromise. A layered approach to physical security works to progressively limit access to systems and infrastructure to authorised personnel only, and prevent a shortfall in one security layer from leading to a wider, more serious failure. This is a practical example of the defence– in–depth concept being applied to the information security space. As an example of a layered approach, an agency could require identication passes for building access as well as targeted swipe access to specic rooms which accommodate lockable containers for storing information or equipment. 12

Scope This chapter outlines the physical security requirements for ICT systems and should be read in conjunction with the physical security components of the Australian Government Protective Security Policy Framework .

Principles 1.

Physical Security for Systems

Limit access to facilities, servers, network devices, ICT equipment and media to authorised personnel only by applying appropriate physical security controls in accordance with the Australian Government Protective Security Policy Framework . The application of defence–in–depth to the protection of systems is enhanced through the use of successive layers of physical security, designed to limit access to those with the need and appropriate authorisation to access facilities, systems, network infrastructure, ICT equipment and media.

12 CISCO, Data Leakage Worldwide: Common Risks and Mist

akes Employees Make , 2008.


27

PRINCIPLES: PHYSICAL

SECURITY

References Physical security requirements and guidance can be found in the Australian Government Protective Security Policy Framework available at www.protectivesecurity.gov.au . In addition, the Security Equipment Catalogue , produced by the Security Construction and Equipment Committee (SCEC), provides a list of security products and vendor contact details.

28


PRINCIPLES: PERSONNEL SECURITY

Personnel Security Rationale Personnel security refers to measures which work to manage the risk of a trusted insider using their legitimate access to an agency’s facilities, assets, systems or people for illicit gain or to cause harm, whether intentional or inadvertent. Implementing a personnel security framework assists agencies in identifying any ‘inside threats’ they could confront, and provides the tools to manage the associated risks. Personnel security is about being educated, informed and proactive. By accessing an agency’s information systems, employees are able to identify and understand procedures and vulnerabilities, and know how and when they can be exploited. Legitimate access can be abused or poor access controls can be manipulated to gain unauthorised access. Together with an intent to commit theft, sabotage or to disclose sensitive or classied information, an employee can cause signicant damage to an agency’s reputation, operations, productivity or nances. Appointing suitable and trustworthy personnel to operate, maintain and access information systems creates the rst line of defence in an agency’s security posture. On the other hand, personnel can cause unintentional harm if they are unaware of their security responsibilities and role in protecting an agency’s systems and information. If policies are to be successful in preventing the compromise or unauthorised disclosure of information, they need to be adopted and practiced by all agency personnel on a daily basis. For example, social engineering campaigns aim to exploit weaknesses in personal judgment and decision– making to compromise or gain access to an agency’s system or information. Fostering a culture of security awareness and responsibility through effective training and awareness programs is vital in ensuring individuals make the security decisions expected of them.

Scope This chapter describes information security awareness and training for personnel, and the responsibilities of personnel using Internet services.

Principles 1.

Information Security Awareness and Training

Foster an effective security culture within an agency by providing all personnel with ongoing information security awareness and training, tailored to system user roles and responsibilities. Fostering an effective security culture through tailored education plays a major role in protecting agency systems and information from attack or compromise. Information security awareness and training programs can educate system users, security practitioners and senior decision–makers on the cyber threat environment, as well as generate support for agency security requirements and familiarise users with their roles and responsibilities. The degree and content of the programs will depend on the objectives of the agency, as well as the classication of the systems involved.


29

PRINCIPLES: PERSONNEL SECURITY

2.

Using the Internet

Ensure personnel are able to use Internet services in a responsible, accountable and security conscious manner by adopting effective usage policies and controls. Some Internet services, such as public web–based email and peer–to–peer applications, can allow personnel to bypass security measures that agencies have put in place to protect their systems. For example, when personnel receive les via peer–to–peer le–sharing applications, instant messaging or chat, they are often able to evade established security measures for detecting and quarantining malicious code. Further, some peer–to–peer Voice over Internet Protocol (VoIP) applications, such as Skype, use protocols which bypass rewalls, creating a vulnerable access point into the system. Public web–based email can be easily exploited as a backdoor entry route for malware. 13 Agency staff need to be aware that any personal information they post on websites could be used to inform phishing scams, or to develop a detailed prole of their life and hobbies in order to build a trust relationship with them or associates. The relationship could then be used to elicit government information from them or implant malware on systems by inducing them to, for example, open emails or visit websites with malicious content. Even unclassied information that appears to be benign in isolation could, when combined with other information, have a considerable security impact. Agencies can help to facilitate secure use of the Internet by implementing measures that ensure Internet services and applications available to personnel are appropriately scanned for malicious code and subject to inspection by intrusion detection systems.

References For all other guidance on personnel security requirements, please refer to the Australian Government Personnel Security Core Policy and the Australian Government Personnel Security Management Protocol of the Australian Government Protec tive Security Policy Framework , which can be found at www.protectivesecurity.gov.au . For information on the personnel security threat environment, please refer to The Insider Threat to Business– A personnel security handbook , as released b y the Attorney-General’s Department. This can be found under the ‘Security’ heading at www.tisn.gov.au/Pages/Publications-by-topic.aspx . Information on the policy and regulations governing the disclosure and use of government information by personnel can be found in the Managing Ofcial Information section of APS Values and Code of Conduct in Practice , located at www.apsc.gov.au/publications-and-media/current-publications/aps-values-and-code-ofconduct-in-practice .

13 Sophos, Security Threat Report 2012 — Seeing the Threats Through the Hype , 2012.

30


PRINCIPLES: COMMUNICATIONS INFRASTRUCTURE

Communi cations Infr astructure Rationale With the proliferation of system connections across government, a robust cable management regime can help agencies maintain the integrity and availability of their communications infrastructure and the condentiality and integrity of their information. Proper cable management can minimise the likelihood of unauthorised personnel inadvertently or deliberately accessing system cables. Laying cables in a controlled manner and ensuring they are appropriately labelled, separated and accessible for visual inspection can help detect any covert tampering or access to system cables that may otherwise result in long term unauthorised access to corporate information by a malici ous actor, or damage to communications infrastructure that could impact the availability of system information. Appropriate cable labelling can also prevent data spills by accidentally connecting one system to another of a lesser classication. Moreover, investment in adequate cable infrastructure and ap propriate cable mana gement practices can result in considerable long term efciencies over the life of an installation, as technology and system requirements continue to evolve. For instance, initial investment in bre cable not only protects against unforseen threats, but enables information to be communicated at higher classications in the future. Implementing accessible and visible cable infrastructure can signicantly reduce expenses resulting from future upgrades, accreditation, fault nding, conguration management and regular inspection for tampering or degradation. Compromising emanations from equipment and cables provides an opportunity for classied or sensitive information to be intercepted. Some environments—such as mobile platforms and deployable assets that process classied information—are particularly susceptible, and could be seriously affected if compromised by an emanation security attack. ASD maintains up to date emanation security threat assessments for relevant agencies to use when determining emanation security measures and maintaining the condentiality and availability of classied systems. Having sound cable infrastructure and installation methodology provides protection in the case that an agency’s emanation security threat increases.

Scope This chapter describes the importance of securing communications infrastructure through cable management and emanation security practices.

Principles 1.

Cable Management

Protect sensitive or classied information by applying appropriate cable management practices. Appropriate cable management practices can assist an agency to protect its information by minimising the likelihood of unauthorised personnel inadvertently or deliberately accessing system cables.


31

PRINCIPLES:

2.

COMMUNICA

TIONS INFRASTRUCTURE

Emanation Security

Minimise the disclosure of classied or sensitive information from compromising emanations by implementing appropriate countermeasures informed by current ASD e manati on se curit y thr eat a sses sments . Reducing emanations to an acceptable level minimises the risk that an agency’s information will be intercepted and its systems compromised. ASD maintains up to date emanation security threat assessments for relevant agencies to use when determining emanation security measures.

References Additional information on conducting an emanation security threat assessment is found in the latest version of Australian Communications Security Instruc tion 71—Guidelines for the Installation of Communication and Information Processing Equipment and Systems . Additional information on cables and separation standards, as well as the potential dangers of operating radio frequency transmitters near systems is documented in the latest version of Australian Communications Securit y Instruction 61—A Guide to the Assessment of Electromagnetic Security in Military and High– Risk Environments .

32


PRINCIPLES: COMMUNICAT

Communi cations Systems and

IONS SYSTEMS

AND DEVICES

Devices

Rationale Communications systems and devices can act as a digital gateway for information coming into and going out of a network, and can facilitate the disclosure of classied or sensitive information, whether inadvertent or intentional. In some cases these devices could provide an access point into any system to which the device connects. Effective governance, including device usage policies and procedures, plays a vital role in minimising the likelihood of data spills by ensuring personnel have sufcient knowledge of the risk to, and methods to protect, classied and sensitive information which is being scanned, copied, printed or communicated. Additionally, properly considering the physical positioning of devices can reduce the potential of unauthorised access and modication.

Scope This chapter describes the importance of implementing measures which facilitate the secure use of radio frequency and infrared devices, fax machines, multifunction devices, as well as xed telephones and the systems to which they connect.

Principles 1.

Radio Frequency and Infrared Devices

Reduce the risk of data spills by implementing measures to prevent, detect and respond to the unauthorised or unsecure use of radio frequency and infrared communications devices. Transmissions from radio frequency and i nfrared devices, for example Bluetooth and wireless keyboards, can create an emanation security risk if not appropriately secured, positioned or congured. Radio frequency devices are also capable of automatically connecting to systems and potentially b ecoming unauthorised data storage devices. Moreover , the wireless transfer of information can serve as an illicit entry point for an entire network. Appropriately conguring wireless networks, positioning devices to restrict communications from being transmitted into an unsecured space and using radio frequency shielding on facilities will assist agencies in limiting wireless communications to areas under their control.


33

PRINCIPLES: COMMUNICAT

2.

IONS SYSTEMS

AND DEVICES

Fax Machines and Multifunction Devices

Maintain the condentiality of sensitive or classied information by appropriately conguring, and developing a proper usage policy for, fax machines and multifunction devices. Fax machines and multifunction devices (MFDs) are capable of communicating classied information across a connected network. These devices can therefore facilitate data spills, for instance by personnel scanning, copying or sending information at a classication higher than that of the network the devices are connected to. Developing an agency policy governing the use of fax machines and MFDs can help prevent actions which can lead to the unauthorised access to, and disclosure of, classied or sensitive information. In addition, when a device is connected to a computer network, it can become a bridge and therefore a potential vector to access information which has been scanned, copied or printed. Properly conguring fax machines and MFDs will assist in preventing malicious or inadvertent data spills. 14 3.

Telephones and Telephone Systems

Maintain the condentiality of classied or sensitive information by developing a usage policy governing, and appropriately conguring, telephones and telephone systems. The improper conguration and use of telephones and telephone systems can expose classied or sensitive information to those not authorised to hear it. Telephones pose inc reased audio, and, in the case of video conferencing, visual security risks, and information communicated over unsecure telephone networks is exposed to interception. These risks can be reduced by ensuring personnel are aware of their environment and given guidance regarding the appropriate levels of information which can be discussed on particular telephone systems, as well as implementing measures such as encryption and off–hook security—for instance, by limiting the time an active microphone is open.

References For more information relating to wireless communica tions and connectivity, please refer to the Working Off–Site chapter of this document.

14 United Kingdo m Inform ation Comm issioner's Ofce, News Release: Council printer mix–up breached data protection laws , 5 Ap ril 2011.

34


PRINCIPLES: PSPF MANDATORY REQUIREMENT INFOSEC 4 EXPLAINED

PSPF Mandatory Requirement INFOSEC 4 Explained Rationale Australian Government Protective Security Policy Framework (PSPF) mandatory requirement INFOSEC 4 requires agencies to implement ASD’s Strategies to Mitigate Targeted Cyber Intrusions (the Strategies) as outlined in the ISM Controls manual . To satisfy INFOSEC 4, agencies are requi red to implement the Top 4 of the Strategies. The Strategies were developed in order to mitigate the most common cyber security threat being faced by Australian government agencies at this point in time: targeted cyber intrusions from the Internet to the work station. The strategies represent a layered defence designed to protect the workstation, and by extension the corporate network, from targeted cyber intrusions. While no single strategy can prevent malicious activity , at least 85% of the incidents that ASD responds to could have been prevented by implementing the Top 4. As such, the PSPF now requires government agencies to implement the Top 4. The Top 4 Strategies are: 1.

application whitelisting

2.

patch applications

3.

patch operating systems

4.

minimise administrative privileges.

A list of the technical controls required in order to implement the Top 4 is outlined in the PSPF Mandatory Requirement INFOSEC 4 Explained chapter of the Controls manual. The implementation of the remaining Strategies is also strongly recommended, however these can be prioritised based on business requirements and the risk prole of each system.

Scope This chapter outlines the ISM controls that agencies must implement in order to be compliant with PSPF mandatory requirement INFOSEC 4.


35

PRINCIPLES: PSPF

MANDAT ORY REQUIREMENT INFOSEC 4

EXPLAINED

Principles 1.

Controls to meet PSPF requirement INFOSEC 4

Reduce the risk of targeted cyber intrusions by implementing the Top 4 of ASD’s Strategies to Mitigate Targeted Cyber Intrusions where applicable. As the Strategies are designed to mitigate targeted content–based intrusions (that is email and web pages), priority for implementing the Top 4 Strategies should therefore be placed on Australian government systems that are able to receive emails or browse web content srcinating from a different security domain, particularly from the Internet. Other systems will bene t from implementing the Top 4, and the Top 35 Strategies more broadly, however there may be circumstances where the risks or business impact of implementing the Strategies outweighs the benet, and other security controls may have greater relevance. In such circumstances, agencies should apply appropriate risk management practices as outlined in the ISM. Under the PSPF, non–compliance with a ny mandatory requirements must be reported to an agency’s relevant portfolio minister , and also to ASD for matters relating to the ISM. Compliance reporting to the relevant portfolio minister is not intended as an extra step in the system accreditation process, nor is it assumed compliance must be gained before authority to operate can be granted to a system.

References Further information on the Strategies can be found in the following ASD Protect publications available through the OnSecure portal and the ASD website at: www.asd.gov.au/infosec/top35mitigationstrategies.htm . •

Strategies to Mitigate Targeted Cyber Intrusions

•

Strategies to Mitigate Targeted Cyber Intrusions—Mitigat ion Details

•

Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirement E xplained

•

Top 4 in a Linux Environment

•

Application Whitelisting Explained

•

Assessing Vulnerabilities and Patches

•

Minimising Administrativ e Privileges Explained.

Further guidance on protective security policy and the PSPF is available at www.protectivesecurity.gov.au .

36


PRINCIPLES: PRODUCT

SECURITY

Product Security Rationale ICT security products, by default, do not provide security out–of–the–box and may contain aws or vulnerabilities which are able to be exploited by a malicious actor. With the proliferation of product choices, it is increasingly difcult for agencies to know not only which ICT security products are safe to use, but also which provide the most effective functionality for their business needs and threat environment. Agencies need condence that the ICT security products they select and use meet their organisational security needs, address known vulnerabilities and remain secure given the changing threat environment. An impartial evaluation of the security product by an independent entity can assist in achieving this condence by verifying the security claims of a product vendor and testing for vulnerabilities. 15 ASD maintains and publishes the Evaluated Products List (EPL)—which comprises evaluation and certication results performed by ASD, the Australasian Information Security Evaluation Program (AISEP) or from an ASD recognised foreign scheme—to provide agencies with a list of independently evaluated products to select from. Products that have been formally evaluated can help increase an agency’s condence that a product will work as expected, but within a clearly dened set of constraints. Using an evaluated product in a different way from which it was tested could introduce threats and vulnerabilities that were not considered by the initial evaluation. In particular , greater product convergence and inter–network connectivity means that many ICT security products require third party hardware and software to operate, which can introduce new vulnerabilities that may not have been teste d for. Therefore, residual securi ty risks still need to be acknowledged and accepted when selecting and using products listed on the EPL.

Scope This chapter describes the merit of applying ASD’s recommended risk–based processes to the selection, acquisition, installation and conguration of ICT products which provide security functions for the protection of information, as well as the value in following appropriate labelling, maintenance, sanitisation and disposal procedures for such products.

15 CISCO, Data Leakage Worldwide: Common Risks and Mistakes

Employees Make, 2008.


37

PRINCIPLES: PRODUCT SECURITY

Principles 1.

Product Security Lifecycle

Securely select, acquire, install, congure, label, maintain, repair, sanitise and dispose of ICT products that provide information security functionality by applying ASD’s recommen ded ri sk–ba sed p rocess es. ASD publishes a list of evaluated products on the EPL to assist agencies in making risk–based decisions for acquiring ICT security products. Selecting an ICT security product which has been evaluated by ASD or another recognised scheme provides an agency with condence that the product will meet its business needs and accepted risk prole, and prevent unintended software possibly containing malicious code from being installed. Protective marking labels help determine appropriate handling, usage, sanitisation, disposal or destruction requirements based on classication. Ensuring that technicians who are given access to ICT products are either cleared or appropriately escorted, as well as sanitising or declassifying products when taking the product off–site for repair or maintenance, reduces the risk of unauthorised disclosure of classied or sensitive information. Following proper sanitisation and disposal procedures also mitigates the risk of inadvertently releasing classied information into the public domain. 2.

High Assurance Products

Seek ASD approval or guidance as appropriate before acquiring, conguring, delivering, repairing, labelling, patching and disposing of High Assurance products. Given the potential threat vectors and the value of the information being protected, ASD is required to direct, and in some cases authorise, actions taken in regard to High Assurance products. ASD guidance and authorisation helps ensure that the functionality and integrity of such products are not degraded, for example when undertaking repairs or applying external labels, as well as preventing opportunities for a malicious actor to gain insight into government capabilities, such as through improper product disposal practices.

References For further information on the AISEP and the EPL, please visit ASD’s website at www.asd.gov.au/infosec .

38


PRINCIPLES: MEDIA

SECURITY

Media Security Rationale Instituting and maintaining a comprehensive media control program, including protecting media according to the classication of the information it stores, can help agencies mitigate the risk of disclosing classied or sensitive information. Best practice media security can help protect against not only current exploits, but also exploits that could emerge in the future. There are a number of security risks agencies should be aware of when using media. For instance, some operating systems provide the functionality to automatically run certain types of programs that reside on media. While this was designed for a legitimate purpose, it can also be used for malicious purposes or lead to inadvertent compromise. If this functionality remains enabled, malware can execute as soon as media is connected to a system. Coupled with the ability to insert media of a higher classication into a system of lower classication, sensitive or classied information could be disclosed. Known vulnerabilities have also been demonstrated where malicious actors can connect a device to a locked workstation and still gain access to encryption keys. Furthermore, devices that have direct access to the system memory can allow a malicious actor to read or write any content to memory that they desire. The best defence against this vulnerability is to disable access to relevant ports, using either software controls or by physically damaging the ports so that devices cannot be connected. Implementing technical measures to ensure certain types of media need to be explicitly approved for use in a classied environment provides an additional layer of user awareness and security, in case users are unaware of, or choose to ignore, media security requirements. Following sound security practices when connecting, storing, transferring, sanitising, destroying or disposing of media plays a major role in preventing classied and sensitive data spills and avoiding malicious attacks. Documenting such policies and procedures will ensure they are carried out in accordance with agency expectations.

Scope This chapter describes the value of implementing appropriate media handling, usage, sanitisation, destruction and disposal practices. 16

16 Sophos, Security Threat Report 2012 — Seeing the Threats Through the Hype

, 2012.


39

PRINCIPLES: MEDIA SECURITY

Principles 1.

Media Handling

Establish a removable media policy to provide oversight and accountability for agency information transported or transferred between systems on removable media. Maintain condentiality by accurately classifying, reclassifying (following appropriate sanitisation or destruction procedures or changes to data classication), labelling and registering media in accordance with the information it stores. Accurately classifying media provides appropriate protections for the information it stores. Media that is not correctly classied carries a greater risk of being mishandled and accessed by unauthorised persons. Labelling helps personnel to identify the classication and ensure the media is afforded the appropriate level of security. A sound process for registering and accounting for media helps minimise the likelihood of unauthorised disclosure of classied information. 2.

Media Usage

Maintain the condentiality of stored information by implementing and documenting appropriate standards for connecting, storing and transferring media. Implementing controlled and accountable processes for using media can minimise the risk of unauthorised access and disclosure by preventing classied media from being connected to systems of a lesser classication, as well as protecting information which is being stored or transferred within a media device. 3. Media Sanitisation Reduce the likelihood of a data spill by implementing proper processes for sanitising—that is, securely overwriting information on—media that is either no longer required or before reuse. Approved sanitisation methods provide a high level of assurance that no remnant data is on the media. Sanitising media before reuse ensures that information is not inadvertently accessed by an unauthorised individual or protected by insufcient security measures. Independent verication p rovides assurance that the process was conducted correctly. It is important to note that some media is not able to be sanitised because of the way information is stored, for example microform and printer ribbons. 4.

Media Destruction

Prevent unauthorised access to stored classied or sensitive information by destroying media that cannot be sanitised—under proper supervision and using documented procedures, appropriate equipment and wa ste management and transportation processes. Media destruction methods are designed to ensure that recovery of data is impossible or impractical. There are some types of, and specic circumstances under which, media cannot be sanitised and therefore, if no longer required, must be destroyed.

40


PRINCIPLES: MEDIA

5.

SECURITY

Media Disposal

Minimise the likelihood of a data spill when media is released into the public domain by declassication and a formal administrative decision to approve its disposal—by an appropriate authority and according to an agency’s documented procedures. Appropriate media disposal practices are essential in ensuring that classied information is not accidentally disclosed. Media can be disposed of only after it has been sanitised or destroyed to a point where it no longer contains sensitive or classied information. A formal administrative decision needs to be made to complete the declassication process and to allow media to be released into the public domain.

References Nil.


41

PRINCIPLES: SOFTWARE SECURITY

Software Security Rationale Software may contain aws and vulnerabilities which are able to be exploited by a malicious actor. These vulnerabilities can not only be use d to gain unauthorised access to classied or sensitive information, but also to undermine the integrity or availability of an agency’s information—such as by targeting an agency’s public website to disrupt access or modify its content for malicious purposes. Installing antivirus software and software–based rewalls that limit inbound and outbound network connections are good rst steps in reducing the risk of compromise. However, software security degrades over time as malicious actors discover new vulnerabilities and exploits, and these measures cannot be relied upon by themselves to protect workstations. Ensuring software and operating system patches are up to date, and antivirus and other security software is appropriately maintained with the latest signatures, helps address new vulnerabilities as they emerge. Agencies can also implement measures to help protect their systems from unknown vulnerabilities, such as malicious code not yet identied by antivirus or software vendors. Restricting the running of applications on a system to only those that are specically authorised provides increased protection against the execution and spread of malware. This is known as application whitelisting. Moreover, by l imiting the p romulgation of information about what software has been installed on systems, agencies can help prevent a malicious actor from gaining knowledge of how to tailor potential attacks to exploit a particular vulnerability. Database systems contain a wealth of information, and are therefore highly desirable targets for cyber intruders, as compromising them can have signicant and immediate payoffs. Implementing appropriate security controls will reduce the risk of unauthorised individuals accessing agency information held in databases, and accordingly reduce the risk involved with data aggregation. 17

Scope This chapter describes the importance of implementing and maintaining proper software security on agency systems.

17 Verizon, Data Breach Investigations Report , 2012.

42


PRINCIPLES: SOFTWARE

SECURITY

Principles 1.

Software Security

Maintain the condentiality, integrity and availability of agency information and protect against the execution and spread of malware by implementing appropriate software security measures on systems. Software vulnerabilities can be exploited by a malicious actor to gain access to agency information or to undermine i ts condentiality , integrity or availability. Measures such as segregating networks and systems or limiting system privileges will assist in minimising the spread of malicious code or the damage it could do to an agency’s system. Even though web applications may only contain information authorised for release into the public domain, it is important to ensure security measures are incorporated to protect the integrity and availability of the information and the systems it is hosted on and connected to. 2.

Known Vulnerabilities

Maximise software effectiveness and minimise vulnerabilities by implementing and routinely updating preventative measures, such as applying system and software patches, keeping antivirus signatures up to date and only running supported software. Software security will degrade over time as malicious actors continue to discover new vulnerabilities and exploits. It is important that agencies available information regarding newmonitor known vulnerabilities and apply the security patches released to address them as part of their risk management program. Patching operating systems and applications are highly effective measures to prevent malicious actors from exploiting known vulnerabilities. Accordingly, these are two of the Top 4 Strategies in ASD’s list of Strategies to Mitigate Targeted Cyber Intrusions .18 3.

Unknown Vulnerabilities

Maintain the condentiality, integrity and availability of an agency’s information by removing, disabling and preventing the execution of unauthorised, unused or undesired software or software functionality wherever possible. Restricting access to or disabling unauthorised, unused or undesired software or functionality effectively limits a malicious actor’s opportunity to exploit software vulnerabilities. Application whitelisting, which enables only specically selected applications to be activated, is one of the most effective approaches in countering unknown risks. An average system user requires access to only a few applications, or groups of applications, in order to conduct their business.

18 Sophos, Security Threat Repor t 2013 , 2013


43

PRINCIPLES: SOFTWARE SECURITY

Restricting the user’s permissions to running a limited set of trusted applications signicantly reduces the opportunities available for attacking a system and provides an effective mechanism to prevent system compromise due to the execution of unauthorised or malicious software. Accordingly, application whitelisting is one of the Top 4 Strategies in ASD’s list of Strategies to Mitigate Targeted Cyber Intrusions . 4.

Databases

Protect database systems and their contents from theft, corruption, loss and unauthorised access by hardening through technical measures, administrator and user policies and regular audits. Using supported and patched database software, securely conguring database software and stringently controlling database access will assist in protecting the contents of databases. Assessing agency business requirements before storing sensitive information on databases is imperative, as this can impact an agency’s risk prole. Additionally, removing pre–congured default settings and placing database servers on a different network segment to agency corporate workstations will improve databa se security.

References Further guidance on ASD’s Strategies to Mitigate Targeted Cyber Intrusions can be found at www.asd.gov.au/infosec/top35mitigationstrategies.htm .

44


PRINCIPLES: EMAIL

SECURITY

Ema il Securit y Rationale Email, because it enables the communication of information into and out of an agency, by nature is insecure. Poor email security practices and implementation can lead to unauthorised individuals easily gaining access to sensitive or classied agency information in emails themselves, or through network compromise. Socially engineered emails are one of the most common techniques used to spread malware on agency networks. This technique relies on a user opening a malicious link or attachment. Motivated malicious actors can use these methods to establish doorways into agency networks, which can result in agency information being stolen, altered or even made unavailable. Agencies can minimise their vulnerability to socially engineered emails by properly implementing, monitoring and maintaining the conguration of email servers, software and email applications. These measures will make it difcult for malicious emails to enter an agency network and be delivered to users. However, even with appropriate technical measures in place, educating users to be aware of the threat of malicious emails is one of the most important factors in improving email security.

Scope This chapter describes the value of the secure implementation and use of email on agency networks. 19

Principles 1.

Email Security

Protect the condentiality, integrity and availability of information, and ensure information can only be accessed by those intended and authorised to do so, by implementing an email usage policy and applying appropriate security controls to email applications and infrastructure. Protectively marking all electronic–based information is critical for allowing appropriate email security measures to be applied. Protective markings go a long way in preventing unauthorised information from being released into the public domain. Applying appropriate protective markings to emails will also assist in preventing the condentiality of information being inadvertently compromised as a result of activating automatic forwarding of sensitive or classied emails.

19 Symantec, Symantec Intelligence Report June 2011 , 2011.


45

PRINCIPLES: EMAIL SECURITY

Securely conguring email infrastructure (such as blocking inbound and outbound email with a protective marking higher than the classication of the receiving system) can protect against data spills or the potential interception or compromise of information. Implementing identication controls, such as digital signatures and Sender Policy Framework (SPF), can also aid in the detection of spoofed emails that may contain malicious code designed to compromise a network. In the case of SPF, the SPF record species a list of IP addresses or domains that are allowed to send email from a specic domain. If the email server that sent the email is not in the list, the verication fails. Email messages are often routed through many email servers when travelling from sender to recipient. For this reason, it is vital for agencies to put stringent measures in place to check for malicious content (for instance, through a content lter) and conrm the validity of emails. Socially engineered emails are one of the most common techniques used to spread malware. Once technical measures fail, users are the last line of defence in ensuring a socially engineered email does not lead to malware being installed on a workstation. Agencies need to ensure their users are aware of the threat and educated on how to detect and report suspicious emails. It is important, therefore, to implement an agency email usage policy and communicate agency expectations and processes to their users.

References Further information on Government–approved email marking standards can be found in AGIMO’s Email Protective Marking Standard for the Australian Government www.nance.gov.au/les/2012/04/EPMS2012.3.pdf . Additionally, the implementation guide for the Email Protective Marking Standard for the Australian Government is available at www.nance.gov.au/les/2012/04/email_pmsig.pdf .

46


PRINCIPLES: ACCESS CONTROL

Access Control Rationale Agencies can manage access to system information through appropriate access controls, restricting system access to authorised and successfully identied and authenticated users. The automatic logging and subsequent auditing of information relating to network activities will also increase the likelihood that malicious behaviour will be detected. Giving each user a unique identication ensures accountability and enables agencies to attribute actions undertaken within a session to specic personnel. Ensuring that users provide sufcient evidence to verify their identity can also reduce the likelihood of a malicious actor successfully masquerading as an authorised user—such as a social engineering attack aimed at an agency service desk to request a password reset for a system account. Passwords and passphrases are common authentication techniques which enable an agency to verify the state d identity of a user. However, given the ever-increasing p rocessing power of home computers, length and complexity requirements for passphrases will also continue to increase to provide agencies with adequate protection against basic techniques such as brute–force attacks—a simple six–letter password can be brute-forced in minutes by software freely available on the Internet. Agencies can mitigate this by implementing additional authentication measures, such as multi–factor authentication, which requires the presentation of at least two different kinds of evidence that someone is who they say they are. This can be achieved through various means, including biometrics, cryptographic tokens and smartcards. 20 Authorisation is the core of access control as it enforces the need–to–know principle. Authorisation is two–fold. Firstly, an individual needs to be authorised to have access to a system, and secondly they need to be authorised to access specic applications, databases or information resources on a system. This is often achieved by using access control lists. User credentials should be given additional protection to reduce the risk of a malicious actor nding and using the information to access a system under the guise of a valid user.

Scope This chapter describes the importance of managing user access to system information and the automatic logging and auditing of network activities. 21

20 Verizon, 2012 Data Breach Investigatio ns Report , 2012. 21 Sophos, Security Threat Repor t 2013 , 2013


47

PRINCIPLES: ACCESS CONTROL

Principles 1.

Identication and Authentication

Ensure that access to a system is limited to users and devices that are authorised to access it by adopting appropriate identication and authentication practices and controls. Strong identication and authentication mechanisms signicantly reduce the risk that unauthorised users will gain access to a system. 2. System Access Protect the condentiality, integrity and availability of information on systems by limiting authorisation to those with appropriate security clearances, briengs and a demonstrated need–to–know. Managing authorisations of users through the use of access controls on a system helps enforce the need–to–know principle. 3.

Event Logging and Auditing

Detect and attribute any violations of information security policy—including cyber security incidents, breaches and intrusions—by maintaining, auditing and ensuring the availability and integrity of event logs. Event logging and auditing helps raise the security posture of a system by increasing the accountability for all user actions, thereby improving the chances that malicious behaviour will be detected. Agencies should ensure sufcient detail is recorded in order for the logs to be useful when reviewed and determine an appropriate length of time for them to be retained. Conducting audits of event logs should be seen as an integral part of system maintenance, since they will help detect and attribute any violations of information security policy, including cyber security incidents, breaches and intrusions. Agencies are required under the Archives Act 1983 to retain event logs and audit trails for a minimum of seven years. 22

References Further information on minimum retention periods for Commonwealth records is provided in the National Archives of Au stralia’s Administrative Functions Disposal Authority, which can be found at www.naa.gov.au/records-management/agency/keep-destroy-transfer/agency-ra/index.aspx . 22 Sophos, Security Threat Repor t 2013 , 2013

48


PRINCIPLES: SECURE

ADMINISTRA

TION

Secure Administration Rationale Secure enterprise administration allows agencies to be resilient in the face of malicious cyber intrusions by protecting privileged machines and accounts from compromise, as well as making an adversary's movement through a network more difcult. By implementing technical controls and conguring networks to improve administration security, it is more likely the secure administration system wil l withstand a cyber intrusion. This can limit damage and can make incident response far more agile, allowing remediation work to b e completed faster.

Scope This chapter describes the importance of applying security controls and processes to improve The security of administrative credentials, infrastructure and actions performed on a network or system.

Principles 1.

Secure Administration

Increase the level of assurance that administrator activities and credentials will not be compromised during a malicious cyber intrusion by implementing robust technical controls and processes. One of the greatest threats to the security of a network is the compromise of a workstation used for IT administration. Providing a physically separate workstation with robust technical controls in place to administrators responsible for critical assets, in addition to their workstation used for unprivileged access, provides greater assurance that administrator activities and credentials will not be compromised.

References Nil.


49

PRINCIPLES:

CRYPTOGRA

PHY

Cryptography Rationale Cryptography is primarily used to restrict access to information to authorised users. First and foremost, encryption improves condentiality, providing protection to classied or sensitive information by making it unreadable to all but authorised users. More broadly, cryptography can also provide: •

Data integrity: protecting information from accidental or deliberate manipulation. It provides users with assurance that information has not been modied.

•

Authentication: ensuring that a person or entity is who they claim to be. A robust authentication system is essential for protecting access to IT systems.

•

Non–repudiation: proof that a user performed an action, such as sending a message, and preventing them from denying that they did so.

Using approved encryption does not reduce the consequences of a successful attack and, in effect no real–world product can ever be guaranteed to be free of vulnerabilities. Before approving cryptographic algorithms for use, ASD conducts a meticulous evaluation of those already scrutinised by industry and academic communities in a practical and theoretical setting, which have not bee n found to be suscep tible to any feasible attacks. However, there can be no guarantee of security against presently unknown attacks. It is vital that agencies remain aware of what is possible as the information technology environment continues to develop and change. Using any cryptographic product, algorithm or protocol is not sufcient in itself to adequately reduce the likelihood of compromise. Unapproved or inappropriately congured cryptographic algorithms and protocols can carry a signicant l evel of risk. In pa rticular, installing a cryptographic capability can increase security condence within an agency and change user behaviour by promoting the view that more sensitive or classied information is now able to be stored and communicated securely. If this capability is poorly congured, it can lead to an actual reduction in overall security , as the system may be used to carry more sensitive information with little to no genuine improvement to security . Further, some common protocols have known impacts on other security operations, for example, restricting an agency’s ability to inspect encrypted messages and attachments for inappropriate content, or scan les for viruses and malicious code. To maximise the benet of cryptographic capabilities, agencies should only use ASD Approved Cryptographic Algorithms and Protocols, ensuring that they are congured appropriately, and be aware of any known restrictions or vulnerabilities.

50


PRINCIPLES:

CRYPTOGRA

PHY

Scope This chapter describes the use of ASD Approved Cryptographic Algorithms and Protocols to encrypt information, and the management of cryptographic systems.

Principles 1.

Protecting Information at Rest

Maintain the condentiality and integrity of classied or sensitive information at rest using an appropriate ASD Approved Cryptographic Algorithm. Encrypting information at rest can be used to reduce physical storage and handling requirements, as well as maintain its condentia lity. 2.

Protecting Information in Transit

Maintain the condentiality and integrity of classied or sensitive information in transit using ASD Approved and appropriately congured Cryptographic Protocols implementing an ASD Approved Cryptographic Algorithm. Encrypting information in transit, using ASD Approved Cryptographic Protocols which implement an ASD Approved Cryptographic Algorithm, can be used to protect classied or sensitive information being communicated over unclassied or public networks. Unapproved or incorrectly congured cryptographic protocols, in combination with an assumed level of security condence, can represent a signicant security risk. 3.

Availability of Information

Ensure encrypted information is accessible to those that require it when they require it by implementing appropriate procedures and controls for data recovery. Cryptographic products which provide a means of data recovery can allow for retrieval of information in circumstances where the encryption key is unavailable due to loss, damage or failure. 4.

Management of Cryptographic Systems

Maintain the integrity of cryptographic systems, and hence the condentiality and integrity of the information being protected, by applying appropriate governance and personnel and physical security measures. Appropriate security measures are crucial in safeguarding cryptographic systems and their material from compromise.

References ASD Approved Cryptographic Algorithms and Protocols are listed in the Cryptography chapter of the ISM Controls manual.


51

PRINCIPLES: NETWORK

SECURITY

Network Security Rationale Agency networks can contain sensitive, classied and business–critical information and services. Malicious actors look for ways to exploit weaknesses in an agency’s network to gain unauthorised access, disrupt legitimate access, or modify such information and services. If a malicious actor has limited opportunities to connect to a given network, they have limited opportunities to compromise that network. Agencies can structure and congure their networks to reduce the number of potential entry points that could be used by a malicious actor to gain unauthorised access to information or disrupt agency services. It is also important to consider not just the risks from vulnerabilities in an agency controlled network, but also in external networks. For instance, when devices connect to non–agency controlled wireless networks, particularly public wireless networks, they may be exposed to viruses, malware or other malicious code circulating on the network. If the device becomes infected and is later connected to an agency controlled network then malicious code can enter the network and steal sensitive information or disrupt the agency’s systems. 23

Scope This chapter describes the importance of securely deploying, conguring and managing network devices and infrastructure.

Principles 1.

Network Management

Ensure all sections of an agency’s network comply with information security policies, and that network vulnerabilities are identied and addressed, by adopting appropriate network management practices. Central management will help ensure that all sections of the network comply with information security policies. Network documentation, that is updated as changes are made, will assist system administrators to completely understand and adequately protect the network. Appropriate intrusion detection and prevention mechanisms and the logging of network activity, such as recording the occurrence of blocked emails or monitoring suspic ious network trafc, can assist agencies to prevent, detect and respond to cyber security incidents. Regular audits, security reviews and vulnerability analysis activities can assist agencies in avoiding security degradation over time as the information technology and threat environment evolves. Transferring data between systems in a controlled and accountable manner can reduce the risk of data spills and introduction of malicious code to a system. 23 McAffee Labs, McAffee Threats Report: First Quarter 2013 , 2013.

52


PRINCIPLES: NETWORK SECURITY

2.

Network Design and Conguration

Reduce opportunities for a malicious actor to compromise or gain unauthorised access to sensitive or classied information through the secure design and conguration of agency networks. Implementing strong network authentication controls and minimising unnecessary access points (for instance, by disabling unused physical ports, ltering unnecessary content and applying network access controls) will reduce the opportunities from which an attack could be launched. Agencies should be aware of the inherent risks in connecting specic devices to a network. For instance, softphones (software applications which allow a workstation to act as a VoIP phone, such as Skype) can introduce additional vulnerabilities into the network as they do not separate voice from data, as hardware–based IP phones do. This can provide a malicious actor with access to an agency’s voice network via their data network.

When using wireless networks, network segregation, changing default settings, authentication, encryption and securing devices used to access wireless networks will signicantly reduce the risk of compromise. 24 Scanning imported data for malicious content reduces the risk of a system being infected, thus maintaining its condentiality , integrity a nd availability. 3.

Network Infrastructure

Maintain the condentiality, integrity and availability of information by applying a defence–in–depth approach to the secure deployment of network infrastructure. Minimising network complexity and physically separating sections of a network can reduce the number of potential access points that could be used to gain unauthorised access to sensitive or classied information, and makes it difcult for an intruder to propagate once inside the network. Physically or logically separating sections of a network can also help ensure the availability of information and services when other sections of the network may have been affected — by a Distributed Denial of Service attack for example (an attempt to ood networks with unwanted trafc to disrupt or degrade services). Further, building redund ancies into an agency’s network, for example through the use of multiple internet links, can help increase the complexity required for a successful Distributed Denial of Service attack, as well as increasing the agency’s response options.

24 Verizon, 2012 Data Breach Investigatio ns Report , 2012.


53

PRINCIPLES: NETWORK

SECURITY

Separating sections of a network is essential to enable agencies to implement a defence– in–depth approach to network security . Network segmentation is one of the most effective methods to prevent a cyber intruder from propagating inside a network. If implemented correctly, it can be signicantly more difcult for an intruder to nd and access their target information and move undetected around the network. Logging functionality in network segmentation technologies can prove extremely valuable in detecting an intrusion and, in the event of a compromise, isolating a compromised device from the rest of the network.

References Nil.

54


PRINCIPLES: CROSS DOMAIN

SECURITY

Cross Domain Security Rationale Connecting a security domain to another security domain, which includes connecting to the Internet, poses signicant risks to an agency’s information. Gateways and cross domain security measures can mitigate these risks by securely managing data ows between different security domains. Applying robust security measures including content lters and rewalls to gatewaybeing systems will reduce the risk of malicious content entering the security domain or information accessed by those unauthorised to do so. Physically locating all gateway components inside an appropriately secure a rea also reduces the risk of unauthorised acce ss to the devices. Further, providing a sufcient logging and audit capability can assist an agency in detecting and responding to cyber security incidents and attempted network intrusions, allowing the agency to implement countermeasures to reduce the risk of future attempts.

Scope This chapter describes the importance of securely transferring information to and from a security domain through a gateway, including using cross domain solutions.

Principles 1.

Gateway Security

Protect the condentiality, integrity and availability of information on agency networks by appropriately deploying and conguring gateways. Given the criticality of gateways in controlling the ow of information between security domains, poor conguration or management of a gateway can have serious consequences, potentially providing a malicious actor with access to an agency’s entire network. 2.

Cross Domain Security

Ensure the secure transfer of information between security domains with a high level of assurance by implementing security–enforcing mechanisms. Connecting systems with differing security policies poses significant risks. For classified networks, using a cross domain solution comprising ASD evaluated products will help protect the confidentiality , integrity and availability of information being transferred between security domains. 3.

Maintenance and Review

Identify and mitigate security risks as early as possible by maintaining and regularly reviewing gateway architecture. This includes undertaking routine testing and regular security risk assessments and ensuring that any residual risks are accepted. Changes to a security domain connected to a gateway can potentially affect the security posture of other connected security domains.

References Nil. 2014 INFORMATION SECURITY MANUAL | PRINCIPLES

55

PRINCIPLES: DATA TRANSFERS AND CONTENT FILTERING

Data Transfers and Content Filtering Rationale When data is moved from one security domain to another there is a risk of intentionally or unintentionally causing a data spill or allowing malicious or unauthorised content to enter a security domain. Two activities help reduce the risk of unauthorised or malicious content transiting the boundary: implementing a data transfer policy which ensures that content leaves a security domain in a secure manner and, applying content ltering which allows security policies to be run on material entering and leaving a security domain.

Scope This chapter describes the importance of performing data transfers and content ltering in a secure manner.

Principles 1.

Data Transfers

Mitigate the risk of data spills of sensitive or classied information to systems not accredited to handle the data by having a policy governing data transfers and a procedure in place for authorising and importing or exporting the data to a system. A data transfer authorisation system will not only hold users accountable for data they transfer between systems but give agencies an opportunity to scan the data for malicious and active content and check that the classication of the data is appropriate for the destination system. 2.

Content Filtering

Implement content ltering techniques to reduce the risk of unauthorised or malicious content transiting a security domain boundary. Blocking or allowing data transiting a security domain boundary based on its content can increase the level of assurance that information transiting a security domain is legitimate and benign. There are a number of techniques that may constitute content ltering, both to prevent suspicious data and malicious content from entering a security domain and to restrict the export of data to appropriate content.

References Nil.

56


PRINCIPLES: WORKING OFF–SITE

Working Off–Site Rationale The use of mobile devices has become essential to everyday communication. Mobile devices can provide employees with access to email, the Internet and even agency systems, allowing them to work from home, an airport lounge or hotel room. They provide greater accessibility, mobility, convenience and, importantly, ef ciency. While agencies should naturally embrace the potential of mobile devices, it is important to understand and evaluate the risks associated with their use and how they impact an agency’s security risk prole. Once a mobile device leaves a controlled ofce environment, it also leaves behind the protection that environment affords. Some of the best qualities of mobile devices, such as their portability and capacity for use outside the ofce, have introduced new risks. The more capable these devices are of helping users access and use data, the more capable they are of being manipulated by malicious actors for the same end. Poorly controlled mobile devices are particularly vulnerable to loss and compromise, and may provide a malicious actor with an access point into an agency’s system. For instance, users who access websites and web–based email from their mobile devices can make themselves vulnerable to Internet–based threats, such as malware. The employee can then inadvertently expose the corporate network to these threats when he or she connects to the agency’s system from the same d evice. Further, agencies that allow business use of personal mobile devices can introduce signicant risks to their information, as personal devices often do not have sufcient inbuilt security features enabled, such as authentication controls and encryption. These risks apply equally for workstations installed for home–based work. Privacy rights should also be considered by agencies permitting the use of personal devices for business purposes, as access to records in the event of an incident can be restricted due to privacy concerns. Agencies must also consider their obligations under relevant legislation, such as government data retention requirements under the Archives Act 1983. It is important for agencies to identify the circumstances where the liability and security risks of using mobile devices outweigh the benets. In particular, mobile devices carrying highly classied information should not be used outside of appropriately certied facilities, as the risk of classied information being overheard or observed is considered too high. Although mobile networking alters the risks associated with various threats to security, the overall security objectives remain the same as with wired networks: maintaining condentiality , integrity and availabil ity of systems and their information. To reduce the risks of use, it is critical that agencies develop and implement policies to ensure users protect mobile devices in an appropriate manner when they are used outside controlled facilities, and that personnel working from home or outside the ofce protect information in the same manner as in the ofce environment.


57


Scope This chapter describes managing the use of mobile devices and accessing information from unsecured locations and home environments.

Principles 1.

Acceptable Use

Prevent mobile devices from becoming a security risk to the system or network they connect to by implementing, and educating personnel on, an effective mobile device usage policy. Information being communicated via a mobile device outside a controlled facility can be more easily overheard or observed by those not authorised to do so. An agency policy governing the use of mobile devices can help build awareness of the elevated risks relating to their use, and ensure condentiality and integrity of information is maintained. Under an acceptable use policy, personnel need to know the classication of information which the device has been approved to process or communicate before use. 25 Using mobile devices for both personal and business purposes can make them more susceptible to Internet– based threats. For instance, during personal web– browsing, personnel are more likely to open unidentied links or visit unfamiliar sites, which can bring about the spread of malware. Users also need to be aware that mobile applications can contain malicious code or malicious content that is installed along with the legitimate software. Malware can provide an entry route into the associated business network as well as access to information stored or communicated on the mobile device. Connecting mobile devices to an unknown or untrusted source (for charging or to provide network connectivity) can also pose a security risk to an agency. For example, if a smartphone is plugged into an unknown computer via a USB cable to charge, then the contents of the device could be compromised or malware loaded onto the device. For the same reason, agency users should not allow unknown or untrusted people to connect a mobile device to their laptop. 2.

Mobile Device Conguration

Limit situations, or mitigate the consequences of situations, where a user loses control over a mobile device by securely conguring the device and implementing appropriate processes. Most mobile devices have been designed for use outside the ofce and thus can be more easily accessed or stolen. Emergency destruction procedures and lost device labels can help reduce the risk of data spills when a mobile device is lost or compromised. Proper encryption technology can enhance the security of information stored on a mobile device and help protect sensitive or classied information being communicated wirelessly or over unsecured public infrastructure from unauthorised access. 25 Symantec Corporation, Internet Security Threat Report 2013 , 2013. 58



3.

Wireless Communications and Connectivity

Protect sensitive or classied information from unauthorised access by only enabling wireless communications on a mobile device that are needed and can be secured. Wireless networks do not have the inbuilt physical security of wired networks, providing malicious actors with greater opportunities to connect to agency networks remotely. The wireless transfer of information, for instance through Bluetooth, infrared or Wi–Fi, can serve as an illicit entry point for an entire network. When using public wireless access points, malicious actors can easily intercept information being communicated, including secure log–on details, using basic software available on the Internet. 4.

Upkeep and Maintenance

Maintain the integrity and condentiality of the information stored or communicated on a mobile device by conducting regular audits and security updates. Although agencie s may initially provide a secure mobile device, the state of security may degrade over time. It is important for agencies to remain aware of new vulnerabilities as the information technology environment evolves. Keeping security software up to date will protect the mobile device from new variants of malware and viruses that threaten an agency’s critical information. 26 5.

Working From Home

Prevent systems or mobile devices from becoming a weak link in an agency system’s security by ensuring that home environments used for business purposes meet the minimum security requirements in the Australian Government Physical Security Management Protocol of the Australian Government Protective Security Policy Framework . If sensitive or classied information is being accessed by personnel working from home, specically when information systems and devices are used, it needs to be afforded the same protection as in the ofce environment.

References Information relating to physical security is contained in the Australian Government Physical Security Management Protocol of the Protective Security Policy Framework , which can be found at www.protectivesecurity.gov.au . For further information on working from home see the Australian Government Physical Security Management Guidelines—Working Awa y From the Of ce , which can be found at www.protectivesecurity.gov.au . Information on enterprise mobility considerations can be found in ASD’s Protect publication Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD ) at www.asd.gov.au. 26 Australian Mobile Telecommunications Association, FAQs on Mobile Security, found at www.amta.org.au. 2014 INFORMATION SECURITY MANUAL | PRINCIPLES

59


61


Supporting Information Glossary of Terms TERM

MEANING

access control

Enabling the authorised use of a resource while preventing unauthorised use or use i n an unauthorised manner .

accreditation

A procedure by which an authoritative body gives formal recognition, approval and acceptance of the associated residual security risk with the operation of a system.

accreditation authority

The authoritative body associated with accreditation activities. Advice on who should be recognised as an agency's accreditation authority can be found in the Conducting Accreditation section of the ISM Controls manual.

agency

Includes all Australian government departments, authorities, agencies or other bodies established in relation to public purposes, including departments and authorities staffed under the Public Service Act 1999 , the Financial Management and Accountability Act 1997 or the Commonwealth Authorities and Companies Act 1997.

agency head

The government employee with ultimate responsibly for the secure operation of agency functions, whether performed in–house or outsourced.

application whitelisting

An approach in which all executables and applications are prevented from running by default, with an explicitly dened set of executables allowed to execute.

audit

An independent review of validity, accuracy and reliability of information contained on a system. In the context of conducting system accreditations, an audit is an examination and verication of an agency’s systems and procedures, measured against predetermined standards.

Australiasian Information Security Evaluation

A program under which evaluations are performed by impartial companies against the Common Criteria. The results of these evaluations are then certied by ASD, which is responsible for

Program (AISEP)

the overall operation of the program. Verifying the identity of a user, process or device as a prerequisite to allowing access to resources in a system.

authentication availability

62

The assurance that systems are available and accessible by authorised entities when required.



TERM

MEANING

certication

A procedure by which a formal assurance statement is given that a deliverable conforms to a specied standard.

certication authority

An ofcial with the authority to assert that a system complies with prescribed controls in a standard.

classication

The categorisation of information or systems according to the business impact level associated with information or a system.

classied information

Government information that requires protection from unauthorised disclosure.

condentiality

The assurance that information is disclosed only to authorised entities.

cross domain solution

An information security system capable of implementing comprehensive data ow security policies with a high level of trust between two or more differing security domains.

cryptographic algorithm

An algorithm used to perform cryptographic functions such as encryption, integrity, authentication, digital signatures or key establishment.

cryptographic protocol

An agreed standard for secure communication between two or more entities to provide condentiality, integrity , authentication and non–repudiation of information.

cyber security

Security measures relating to the condentiality, availability and integrity of information that is processed, stored and communicated by electronic or similar means.

cyber security event

An identied occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.

cyber security incident

A single or a series of unwanted or unexpected cyber security events that have a signicant probability of compromising business operations and threatening information security .

Cyber Security Incident Reporting scheme

A scheme established by ASD to collect information on cyber security incidents that affect government systems.

data spill

The accidental or deliberate exposure of classied, sensitive or ofcial information into an uncontrolled or unauthorised

emanation security

environment or to persons without a need–to–know. The countermeasure employed to reduce classied emanations from a facility and its systems to an acceptable level. Emanations can be in the form of radio frequency e nergy, sound waves or optical signals.

declassication

A process whereby information is reduced to an unclassied state and an administrative decision is made to formally authorise its release into the public domain.


63


TERM

MEANING

Distributed Denial of Service (DDoS)

The compromise of availability of IT systems, where multiple systems are used to compromise the targeted systems.

rewall

A system designed to prevent unauthorised access to or from a network or system.

gateway

Gateways securely manage data ows between connected networks from different security domains. Refer to the Cross Domain Security chapter of ISM Controls manual for further information.

handling requirements

An agreed standard for the storage and dissemination of classied or sensitive information to ensure its protection. This can include electronic information, paper–based information or media containing information.

hardware

A generic term for any physical component of information and communication technology.

ICT system

A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.

infrared device

Devices such as mice, keyboards, pointing devices and mobile devices that have an infrared communications capability. The protection of information and information systems from

information security

unauthorised access, use, disclosure, disruption, modication or destruction in order to provide condentiality , integrity and availability.

Information Security Registered Assessor Program

An ASD initiative designed to register suitably qualied information security assessors to carry out specic types of security assessments, including for gateways and information systems up to the SECRET classication level.

integrity

The assurance that information is unmodied.

malware

Malicious software used to gain unauthorised access to computers, steal information and disrupt or disable networks. Types of malware include logic bombs, trapdoors, Trojans, viruses and worms.

media

A generic term for hardware that is used to store information, such as USB sticks, portable hard drives, CDs and DVDs.

media destruction

The process of physically damaging the media with the objective of making the da ta stored on it inaccessib le. To destroy media effectively, only the actual material in which the data is stored needs to be destroyed.

media disposal

The process of relinquishing control of media when no longer required, in a manner that ensures that no data can be recovered from the media.

64



TERM

MEANING

media sanitisation

The process of erasing or overwriting data stored on media so the data cannot be retrieved or reconstructed.

metadata

Information that describes data. This can include how the data was created, the time and date of creation, the author of the data and the location on a network where the data was created. A portable computing or communications device with information

mobile device

storage capability that can be used from a non–xed location. Mobile devices include mobile phones, smartphones, portable electronic devices, personal digital assistants, laptops, netbooks, tablet computers and other portable Internet–connected devices.

multifunction devices

The class of devices that combines printing, scanning, copying, faxing or voice messaging functionality in the one device. These devices are often designed to connect to computer and telephone networks simultaneously .

need–to–know

The principle of telling a person only the information they require to full their role.

network device

Any device designed to facilitate the communication of information destined for multiple users. For example: cryptographic devices, rewalls, routers, switches and hubs.

network infrastructure

patch

The infrastructure used to carry information between workstations and servers or other network devices. A piece of software designed to x problems with, or update, a computer program or its supporting data. This includes xing security vulnerabilities and other program deciencies and improving the usability or performance of the software.

Protective Security Policy Framework (PSPF)

Produced by the Attorney–General’s Department, the Australian Government Protective Security Policy Framework sets out the Australian Government’s protective security requirements for the protection of its people, information and assets (replaced the PSM).

product

Technology, whether hardware or software, which enables the electronic storage, retrieval, manipulation, transmission or receipt of information in a digital form. A procedure by which an authoritative body gives formal

reaccreditation

recognition, approval and acceptance of the associated residual security risk with the continued operation of a system.

risk

The chance of something happening that will affect objectives—it is measured in terms of event likelihood and consequence.

risk acceptance

An informed decision to accept risk.

risk analysis

The systematic process to understand the nature, and deduce the level, of risk.


65


TERM

MEANING

risk appetite

Statements that communicate the expectations of an agency’s senior management about the agency’s risk tolerance—these criteria help an agency identify risk and prepare appropriate treatments, and provide a benchmark against which the success of mitigations can be measured.

risk management

The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

risk mitigation

Actions taken to lessen the likelihood, negative consequences, or both, associated with a risk.

residual risk

The remaining level of risk after risk treatments have been implemented.

security domain(s)

A security domain is a system or collection of systems operating under a security policy that denes the security to be applied to information on the system or syste ms. That security may be represented by a classication, caveat or releasability marking with or across classications.

sensitive information

Either unclassied or classied information identied as requiring extra protections (e.g. compartmented or Dissemination Limiting Marker information). A software application that allows a workstation to act as a Voice

softphone

over Internet Protocol (VoIP) phone, using ei ther a built–in or an externally connected microphone and speaker (e.g. Skype).

system

A related set of hardware and software used for the processing, storage or communication of information and the governance framework in which it operates.

threat

Any circumstance or event with the potential to harm an information system through unauthorised access, destruction, disclosure, modication of data, and/or denial of service. Threats arise from human actions and natural events.

user

An entity authorised to access an information system.

vulnerability

wireless access point workstation

66

In the context of information security, a vulnerability is a weakness in system security requirements, design, implementation or operation that could be accidentally triggered or intentionally exploited and result in a violation of the system’s security policy. A device which enables communications between wireless clients. It is typically also the device which connects the wireless local area network to the wired local area network. A stand–alone or networked single–user computer.


asd.gov.au ASD | REVEAL THEIR SECRETS—PROTEC T OUR OWN

Information Security Manual 2014 Principles

Recommend Documents