Issue #12 December 2013 Inside this issue Dont let your guard down .................................1 Removable threat ..............................................2 Freebies carry hidden cost ................................4 Dont be speared this Christmas .......................5 UPDATE: New Apple operating system iOS7 ....6 Dont let your guard down The holiday season is a busy time of year. However, with greater numbers of staff on leave, it is also a time when adversaries can take advantage of varying workloads. Agencies need to remain vigilant to ensure that regular security practices are not overlooked as the year draws to a close. The end of the year is also a time for us to refect on the lessons learnt in the past twelve months. What elements of your information security posture worked well? What gaps still need to be addressed? For Government agencies, these gaps may lie in the implementation of ASDs Top 4 Strategies to Mitigate Targeted Cyber Intrusions, which became mandatory for Government agencies under the Protective Security Policy Framework (PSPF) earlier this year. A number of agency responses on implementation of PSPF mandatory requirements point to issues related to implementation of Application Whitelisting (No.1 of the Top 4). ASD has developed a range of advice publications to assist agencies. These are available on our public website (asd.gov.au). Examples include: Top 4 Mitigation Strategies for Senior Managers Application Whitelisting Explained Top 4 Strategies to Mitigate Targeted Cyber Intrusions: Mandatory Requirements Explained ASD has seen many changes in 2013, including the renaming of our organisation from the Defence Signals Directorate to the Australian Signals Directorate, as outlined in the 2013 Defence White Paper. Although our name has changed, our mandate has not. We remain committed to and focussed on assisting agencies in ensuring the security and resilience of their information and ICT systems. I want to thank agency CIOs, CISOs and IT Security Advisors for their continued engagement, support and collaboration on cyber security matters during 2013 and look forward to our continued partnership next year. As many of our staff head off on leave over the December - January period, I strongly encourage you to continue to report incidents to the Cyber Security Operations Centre. We must remain vigilant to the numerous cyber threats out there. Adversaries will look to take advantage of smaller staff numbers and the usual drop-off in operational tempo over the holiday period. On behalf of ASD and my cyber security staff, I wish you a happy and cyber safe holiday season. Joe Franzi is the Assistant Secretary for Cyber Security at the Australian Signals Directorate. Issue #12 December 2013 Page 2 Removable threat Removable media such as fash drives, CDs/DVDs and external hard drives are commonplace in our lives today. The use of removable media at work, whilst often the most quick and convenient method of transferring and transporting data, brings with it a number of risks. What can happen? The most signifcant security threats are the introduction of malicious software (malware), and data spills. Inserting removable media can transfer hidden malware onto your system without your knowledge. Once malware starts to run, an intruder can see everything that you can see and use your computer to gain access to your wider network. Data spills occur when sensitive or classifed data is transferred onto a system not accredited to handle that material. This usually occurs as a result of user error and can jeopardise the integrity and control of that information. By controlling the use of removable media around classifed systems the risk of this occurring can be minimised. Take control All Australian government agencies need to develop and implement a policy to manage the use of removable media on their networks. It is recommended that agencies undertake a risk assessment of their removable media usage procedures and subsequently select the appropriate controls from the The Australian Government Information Security Manual (ISM) to mitigate the risks associated with removable media. Once an agency has implemented the appropriate controls, it needs to ensure that these are supported with adequate enforcement and user training. Issue #12 December 2013 Page 3 The ISM provides technical security controls to assist with the following aspects of removable storage media control: Handling maintain confdentiality by accurately classifying, reclassifying, labelling and registering media in accordance with the information it holds. Usage maintain the confdentiality of stored information by implementing and documenting appropriate standards for connecting, storing and transferring media. Sanitisation reduce the likelihood of a data spill by implementing proper processes for sanitising media that is either no longer required or before reuse. Destruction prevent unauthorised access to stored classifed or sensitive information by destroying media that cannot be sanitised appropriately. Disposal minimise the likelihood of a data spill when media is released into the public domain by declassifcation and a formal administrative decision to approve its disposal. Related advice ASD publishes a number of documents to assist system owners, project managers, technical and security staff including: The Australian Government Information Security Manual www.asd.gov.au Strategies to Mitigate Targeted Cyber Intrusions www.asd.gov.au Issue-specifc Protect publications www.onsecure.gov.au What is removable media? Removable media is any storage media or device, with the ability to be read and written to, which may be removed from a computer system without requiring the computer to be powered off. This includes: External hard disk drives USB fash drives Optical discs, such as CDs and DVDs Memory cards Magnetic tapes or disks Issue #12 December 2013 Page 4 Freebies carry hidden cost Targeting of high profle events such as G20, ASEAN and VIP visits, by malicious cyber intruders is a real and persistent threat to Australian government agencies. Intruders may use these opportunities to gift electronic devices that are preloaded with malware to participants. Recent media reporting alleges that participants at a G20 meeting were gifted electronic devices potentially infected with malware. When these devices are used or connected to an Australian Government network, or a personal device, malware may install and run, causing a compromise to the network and potential theft of sensitive data. IT security staff and attendees at events need to be aware of the threat posed by these nontraditional attempts to gain access to their valuable information. Whenever 20 of the worlds largest and fastest developing economies are involved, intruders would love to have access to any related information. So user education remains vital to mitigating the cyber threat. Gifted electronic devices should not be used and immediately reported to ICT security staff. ICT security staff should then contact the CSOC when they are notifed of staff receiving electronic gifts. More information is available in ASDs Protect fact sheet Cyber Security Advice for High Profile Events. This can be found on the ASD website Publications section and also stay tuned to this section for specifc G20 advice. Issue #12 December 2013 Page 5 Dont be speared this Christmas Cyber intruders use seasonal themes to entice readers to open emails containing malware. These socially engineered e-mails are the most common intrusion technique observed by ASDs Cyber Security Operations Centre. Socially engineered (or spear-phishing) e-mails contain tailored content designed to entice the reader into opening the message and once opened, the malicious software can execute within the users system. Socially-engineered e-mails are becoming more sophisticated. Some are designed to cleverly mimic well-known companies, government organisations and fnancial institutions so that the reader believes that it is genuine correspondence. Such e-mails might also include personal information, to make you trust their legitimacy. This holiday season, its important to be extra vigilant in the face of seasonal spear-phishing. Socially-engineered e-mails contain content that is tailored to attract you. Examples include: An e-mail purporting to be from your boss, or colleagues. A message that appears to be from your bank, insurance company, social media account or other institution (it may even feature the same logo and corporate stationery, designed to look offcial). An e-mail with a subject line that might appeal to your personal interests (for example, your favourite sports team or a hobby). The holiday season can be a busy and stressful time of the year. Many socially-engineered e-mails use content relating to current events (or at particular times of the year) to deceive you into believing that they are legitimate. For example, intruders use high profle events such as the Group of Twenty (G20) to target attendees before, during and after with email subjects such as G20 Summit Update. Similarly, the end of the calendar year can also result in an increase in activity. E-mails offering special holiday and Christmas deals, or seasonal greetings, will undoubtedly begin to pile up in your inbox- but beware messages purporting to bear gifts. Dont drop your guard, and think before you click. Ask yourself: Do you recognise the sender and their email address? Is the tone consistent with what you would expect from the sender? Is the sender asking you to open an attachment or access a website? Useful References ASD has published Detecting Socially-Engineered E-mails, an advisory designed for all users. For more information, please visit asd.gov.au Issue #12 December 2013 Page 6 UPDATE: New Apple Operating System iOS 7 In September this year, Apple announced the offcial release of the latest operating system for Apple devices - iOS 7. As per usual practice, iOS 6 will no longer be available for download as a result. ASD is currently evaluating iOS 7. In the interim, ASD advises the following: a. Upgrade to iOS 7. Even though iOS 7 is not yet evaluated, this version does provide security enhancements. This is consistent with ASDs advice to install the latest versions of software and patch operating system vulnerabilities as communicated in the Australian Government Information Security Manual and Strategies to Mitigate Targeted Cyber Intrusions. b. Implement the current iOS Hardening Confguration Guide for iOS 7. The existing guide is applicable to iOS 7. ASD will release an updated guide for iOS 7 as soon as possible. The updated guide will contain additions in response to new features, rather than wholesale changes to the existing advice. c. Take interim steps to address new security risks. The details and links are featured in ASDs publication: Advice on Apple Release of iOS 7. The publications ASD Advice on Apple Release of iOS 7, the Australian Government Information Security and Strategies to Mitigate Targeted Cyber Intrusions can be found on the ASD website at asd.gov.au ASD Contact Details For non-urgent and general ICT security enquiries: Email: asd.assist@defence.gov.au For urgent and operational government ICT security matters: Phone: 1300 CYBER1 (1300 292 371), select 1 at any time OR Complete the cyber security incident report form at www.asd.gov.au