asd cyber security bulletin 2013 12

8/12/2019 ASD Cyber Security Bulletin 2013 12

1/6Issue #12 December 2013 Page 1

ASD CYBER SECURITY BULLETIN

Issue #12 December 2013

Inside this issue

Dont let your guard down .................................1

Removable threat ..............................................2

Freebies carry hidden cost ................................4

Dont be speared this Christmas .......................5

UPDATE: New Apple operating system iOS7 ....6

Dont let your guard downThe holiday season is a busy time of year. However,

with greater numbers of staff on leave, it is also

a time when adversaries can take advantage of

varying workloads. Agencies need to remain vigilant

to ensure that regular security practices are not

overlooked as the year draws to a close.

The end of the year is also a time for us to reect

on the lessons learnt in the past twelve months.

What elements of your information security posture

worked well? What gaps still need to be addressed?

For Government agencies, these gaps may lie in

the implementation of ASDs Top 4 Strategies to

Mitigate Targeted Cyber Intrusions, which became

mandatory for Government agencies under theProtective Security Policy Framework(PSPF)

earlier this year. A number of agency responses on

implementation of PSPF mandatory requirements

point to issues related to implementation of

Application Whitelisting (No.1 of the Top 4). ASD has

developed a range of advice publications to assist

agencies. These are available on our public website

(asd.gov.au). Examples include:

Top 4 Mitigation Strategies for Senior Managers

Application Whitelisting Explained

Top 4 Strategies to Mitigate Targeted Cyber

Intrusions: Mandatory Requirements Explained

ASD has seen many changes in 2013, including the

renaming of our organisation from the Defence

Signals Directorate to the Australian Signals

Directorate, as outlined in the 2013 Defence White

Paper. Although our name has changed, our mandatehas not. We remain committed to and focussed

on assisting agencies in ensuring the security and

resilience of their information and ICT systems.

I want to thank agency CIOs, CISOs and IT Security

Advisors for their continued engagement, support

and collaboration on cyber security matters during

2013 and look forward to our continued partnership

next year.

As many of our staff head off on leave over the

December - January period, I strongly encourage you

to continue to report incidents to the Cyber Security

Operations Centre. We must remain vigilant to the

numerous cyber threats out there. Adversaries will

look to take advantage of smaller staff numbers and

the usual drop-off in operational

tempo over the holiday period.

On behalf of ASD and my cyber

security staff, I wish you a happy

and cyber safe holiday season.

Joe Franzi is the Assistant

Secretary for Cyber

Security at the

Australian Signals

Directorate.
http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/http://www.asd/publications/csocprotect/top_4_mitigations.htmhttp://www.asd/publications/csocprotect/application_whitelisting.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd/publications/csocprotect/application_whitelisting.htmhttp://www.asd/publications/csocprotect/top_4_mitigations.htmhttp://www.asd.gov.au/http://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htmhttp://www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm



Removable threatRemovable media such as ash drives, CDs/DVDs and external hard drives are

commonplace in our lives today. The use of removable media at work, whilstoften the most quick and convenient method of transferring and transporting

data, brings with it a number of risks.

What can happen?The most signicant security threats are

the introduction of malicious software

(malware), and data spills.

Inserting removable media can transfer hiddenmalwareonto your system without your

knowledge. Once malware starts to run, an

intruder can see everything that you can see

and use your computer to gain access to your

wider network.

Data spillsoccur when sensitive or classied

data is transferred onto a system notaccredited to handle that material. This

usually occurs as a result of user error and

can jeopardise the integrity and control of

that information. By controlling the use of

removable media around classied systems

the risk of this occurring can be minimised.

Take control

All Australian government agencies need todevelop and implement a policy to manage

the use of removable media on

their networks.

It is recommended that

agencies undertake a risk

assessment of their removable

media usage procedures

and subsequently select theappropriate controls from the

The Australian Government

Information Security Manual

(ISM) to mitigate the risks

associated with removable media.

Once an agency has implemented

the appropriate controls, it

needs to ensure that these

are supported with adequateenforcement and user training.
http://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htm



The ISM provides technical security controls

to assist with the following aspects of

removable storage media control:

Handling maintain condentiality

by accurately classifying, reclassifying,labelling and registering media in

accordance with the information it

holds.

Usage maintain the condentiality of

stored information by implementing

and documenting appropriate

standards for connecting, storing and

transferring media.

Sanitisation reduce the likelihood

of a data spill by implementing proper

processes for sanitising media that is

either no longer required or before

reuse. Destruction prevent unauthorised

access to stored classied or sensitive

information by destroying media that

cannot be sanitised appropriately.

Disposal minimise the likelihood of a

data spill when media is released into

the public domain by declassication

and a formal administrative decision to

approve its disposal.

Related adviceASD publishes a number of documents to

assist system owners, project managers,

technical and security staff including:

The Australian Government Information

Security Manual www.asd.gov.au

Strategies to Mitigate Targeted Cyber

Intrusions www.asd.gov.au

Issue-specic Protectpublications

www.onsecure.gov.au

What is removable media?Removable media is any storage media or device, with the ability to be read and

written to, which may be removed from a computer system without requiring the

computer to be powered off. This includes:

External hard disk drives

USB ash drives

Optical discs, such as CDs and DVDs

Memory cards

Magnetic tapes or disks
http://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/http://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/http://www.onsecure.gov.au/http://www.onsecure.gov.au/http://www.asd.gov.au/http://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/http://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htm



Freebies carry hidden cost

Targeting of high prole events such as G20,

ASEAN and VIP visits, by malicious cyberintruders is a real and persistent threat

to Australian government agencies.

Intruders may use these opportunities to

gift electronic devices that are preloaded

with malware to participants.

Recent media reporting alleges that participants

at a G20 meeting were gifted electronic devices

potentially infected with malware. When these

devices are used or connected to an Australian

Government network, or a personal device, malware

may install and run, causing a compromise to the

network and potential theft of sensitive data.

IT security staff and attendees at events need to be aware

of the threat posed by these nontraditional attempts to gain

access to their valuable information. Whenever 20of the worlds largest and fastest developing

economies are involved, intruders would

love to have access to any related

information. So user education remains

vital to mitigating the cyber threat.

Gifted electronic devices should not be

used and immediately reported to ICT

security staff. ICT security staff should then

contact the CSOC when they are notied of staff

receiving electronic gifts.

More informationis available in ASDs Protect fact sheet Cyber Security

Advice for High Profile Events. This can be foundon the ASD website Publications section and also stay tuned to

this section for specic G20 advice.
http://www.asd/publications/csocprotect/high_profile_events.htmhttp://www.asd/publications/csocprotect/high_profile_events.htmhttp://www.asd.gov.au/publications/index.htmhttp://www.asd.gov.au/publications/index.htmhttp://www.asd/publications/csocprotect/high_profile_events.htmhttp://www.asd/publications/csocprotect/high_profile_events.htm



Dont be speared this Christmas

Cyber intruders use seasonal themes to entice

readers to open emails containing malware. These

socially engineered e-mails are the most common

intrusion technique observed by ASDs CyberSecurity Operations Centre. Socially engineered

(or spear-phishing) e-mails contain tailored

content designed to entice the reader into opening

the message and once opened, the malicious

software can execute within the users system.

Socially-engineered e-mails are becoming more

sophisticated. Some are designed to cleverly mimic

well-known companies, government organisations

and nancial institutions so that the reader

believes that it is genuine correspondence. Such

e-mails might also include personal information,

to make you trust their legitimacy. This holiday

season, its important to be extra vigilant

in the face of seasonal spear-phishing.

Socially-engineered e-mails contain content that

is tailored to attract you. Examples include: An e-mail purporting to be from your

boss, or colleagues.

A message that appears to be from your bank,

insurance company, social media account or other

institution (it may even feature the same logo and

corporate stationery, designed to look ofcial). An e-mail with a subject line that might appeal

to your personal interests (for example, your

favourite sports team or a hobby).

The holiday season can be a busy and stressful time

of the year. Many socially-engineered e-mails use

content relating to current events (or at particular

times of the year) to deceive you into believing that

they are legitimate. For example, intruders use highprole events such as the Group of Twenty (G20) to

target attendees before, during and after with email

subjects such as G20 Summit Update.

Similarly, the end of the calendar year can also

result in an increase in activity. E-mails offering

special holiday and Christmas deals, or seasonal

greetings, will undoubtedly begin to pile up in

your inbox- but beware messages purportingto bear gifts. Dont drop your guard, and think

before you click.

Ask yourself:

Do you recognise the sender and their

email address?

Is the tone consistent with what you

would expect from the sender?

Is the sender asking you to open an

attachment or access a website?

Useful References

ASD has published Detecting Socially-Engineered

E-mails, an advisory designed for all users.

For more information, please visit asd.gov.au
http://www.asd.gov.au/publications/csocprotect/socially_engineered_email.htmhttp://www.asd.gov.au/publications/csocprotect/socially_engineered_email.htmhttp://www.asd.gov.au/http://www.asd.gov.au/http://www.asd.gov.au/publications/csocprotect/socially_engineered_email.htmhttp://www.asd.gov.au/publications/csocprotect/socially_engineered_email.htm



UPDATE:

New Apple OperatingSystem iOS 7

In September this year, Apple

announced the ofcial release ofthe latest operating system for

Apple devices - iOS 7. As per usual

practice, iOS 6 will no longer be

available for download as a result.

ASD is currently evaluating iOS 7.

In the interim, ASD advises the

following:

a. Upgrade to iOS 7. Even though

iOS 7 is not yet evaluated, thisversion does provide security

enhancements. This is consistent

with ASDs advice to install

the latest versions of software

and patch operating system

vulnerabilities as communicated

in theAustralian Government

Information Security Manual

andStrategies to Mitigate

Targeted Cyber Intrusions.

b. Implement the current iOS

Hardening Confguration Guide

for iOS 7.The existing guide

is applicable to iOS 7. ASD willrelease an updated guide for

iOS 7 as soon as possible. The

updated guide will contain

additions in response to new

features, rather than wholesale

changes to the existing advice.

c. Take interim steps to address

new security risks.The details

and links are featured in ASDs

publication:Advice on Apple

Release of iOS 7.

The publicationsASD Advice

on Apple Release of iOS 7,

theAustralian Government

Information Securityand

Strategies to Mitigate Targeted

Cyber Intrusionscan be found on

the ASD website at asd.gov.au

ASD Contact Details

For non-urgent and general ICT security enquiries:

Email: [email protected]

For urgent and operational government ICT security matters:

Phone: 1300 CYBER1 (1300 292 371), select 1 at any time OR

Complete the cyber security incident report form at www.asd.gov.au
http://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/mailto:[email protected]://www.asd.gov.au/http://www.asd.gov.au/mailto:[email protected]://www.asd.gov.au/http://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd/publications/dsdbroadcast/20131016-apple-io7-advice.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/top35migigationstrategies.htmhttp://www.asd.gov.au/infosec/ism/index.htmhttp://www.asd.gov.au/infosec/ism/index.htm

asd cyber security bulletin 2013 12

Documents