Issue #12 December 2013 Page 1

ASD CYBER SECURITY BULLETIN

Issue #12 December 2013
Inside this issue
Dont let your guard down .................................1
Removable threat ..............................................2
Freebies carry hidden cost ................................4
Dont be speared this Christmas .......................5
UPDATE: New Apple operating system iOS7 ....6
Dont let your guard down
The holiday season is a busy time of year. However,
with greater numbers of staff on leave, it is also
a time when adversaries can take advantage of
varying workloads. Agencies need to remain vigilant
to ensure that regular security practices are not
overlooked as the year draws to a close.
The end of the year is also a time for us to refect
on the lessons learnt in the past twelve months.
What elements of your information security posture
worked well? What gaps still need to be addressed?
For Government agencies, these gaps may lie in
the implementation of ASDs Top 4 Strategies to
Mitigate Targeted Cyber Intrusions, which became
mandatory for Government agencies under the
Protective Security Policy Framework (PSPF)
earlier this year. A number of agency responses on
implementation of PSPF mandatory requirements
point to issues related to implementation of
Application Whitelisting (No.1 of the Top 4). ASD has
developed a range of advice publications to assist
agencies. These are available on our public website
(asd.gov.au). Examples include:
Top 4 Mitigation Strategies for Senior Managers
Application Whitelisting Explained
Top 4 Strategies to Mitigate Targeted Cyber
Intrusions: Mandatory Requirements Explained
ASD has seen many changes in 2013, including the
renaming of our organisation from the Defence
Signals Directorate to the Australian Signals
Directorate, as outlined in the 2013 Defence White
Paper. Although our name has changed, our mandate
has not. We remain committed to and focussed
on assisting agencies in ensuring the security and
resilience of their information and ICT systems.
I want to thank agency CIOs, CISOs and IT Security
Advisors for their continued engagement, support
and collaboration on cyber security matters during
2013 and look forward to our continued partnership
next year.
As many of our staff head off on leave over the
December - January period, I strongly encourage you
to continue to report incidents to the Cyber Security
Operations Centre. We must remain vigilant to the
numerous cyber threats out there. Adversaries will
look to take advantage of smaller staff numbers and
the usual drop-off in operational
tempo over the holiday period.
On behalf of ASD and my cyber
security staff, I wish you a happy
and cyber safe holiday season.
Joe Franzi is the Assistant
Secretary for Cyber
Security at the
Australian Signals
Directorate.
Issue #12 December 2013 Page 2
Removable threat
Removable media such as fash drives, CDs/DVDs and external hard drives are
commonplace in our lives today. The use of removable media at work, whilst
often the most quick and convenient method of transferring and transporting
data, brings with it a number of risks.
What can happen?
The most signifcant security threats are
the introduction of malicious software
(malware), and data spills.
Inserting removable media can transfer hidden
malware onto your system without your
knowledge. Once malware starts to run, an
intruder can see everything that you can see
and use your computer to gain access to your
wider network.
Data spills occur when sensitive or classifed
data is transferred onto a system not
accredited to handle that material. This
usually occurs as a result of user error and
can jeopardise the integrity and control of
that information. By controlling the use of
removable media around classifed systems
the risk of this occurring can be minimised.
Take control
All Australian government agencies need to
develop and implement a policy to manage
the use of removable media on
their networks.
It is recommended that
agencies undertake a risk
assessment of their removable
media usage procedures
and subsequently select the
appropriate controls from the
The Australian Government
Information Security Manual
(ISM) to mitigate the risks
associated with removable media.
Once an agency has implemented
the appropriate controls, it
needs to ensure that these
are supported with adequate
enforcement and user training.
Issue #12 December 2013 Page 3
The ISM provides technical security controls
to assist with the following aspects of
removable storage media control:
Handling maintain confdentiality
by accurately classifying, reclassifying,
labelling and registering media in
accordance with the information it
holds.
Usage maintain the confdentiality of
stored information by implementing
and documenting appropriate
standards for connecting, storing and
transferring media.
Sanitisation reduce the likelihood
of a data spill by implementing proper
processes for sanitising media that is
either no longer required or before
reuse.
Destruction prevent unauthorised
access to stored classifed or sensitive
information by destroying media that
cannot be sanitised appropriately.
Disposal minimise the likelihood of a
data spill when media is released into
the public domain by declassifcation
and a formal administrative decision to
approve its disposal.
Related advice
ASD publishes a number of documents to
assist system owners, project managers,
technical and security staff including:
The Australian Government Information
Security Manual www.asd.gov.au
Strategies to Mitigate Targeted Cyber
Intrusions www.asd.gov.au
Issue-specifc Protect publications
www.onsecure.gov.au
What is removable media?
Removable media is any storage media or device, with the ability to be read and
written to, which may be removed from a computer system without requiring the
computer to be powered off. This includes:
External hard disk drives
USB fash drives
Optical discs, such as CDs and DVDs
Memory cards
Magnetic tapes or disks
Issue #12 December 2013 Page 4
Freebies carry hidden cost
Targeting of high profle events such as G20,
ASEAN and VIP visits, by malicious cyber
intruders is a real and persistent threat
to Australian government agencies.
Intruders may use these opportunities to
gift electronic devices that are preloaded
with malware to participants.
Recent media reporting alleges that participants
at a G20 meeting were gifted electronic devices
potentially infected with malware. When these
devices are used or connected to an Australian
Government network, or a personal device, malware
may install and run, causing a compromise to the
network and potential theft of sensitive data.
IT security staff and attendees at events need to be aware
of the threat posed by these nontraditional attempts to gain
access to their valuable information. Whenever 20
of the worlds largest and fastest developing
economies are involved, intruders would
love to have access to any related
information. So user education remains
vital to mitigating the cyber threat.
Gifted electronic devices should not be
used and immediately reported to ICT
security staff. ICT security staff should then
contact the CSOC when they are notifed of staff
receiving electronic gifts.
More information is available in ASDs Protect fact sheet Cyber Security
Advice for High Profile Events. This can be found
on the ASD website Publications section and also stay tuned to
this section for specifc G20 advice.
Issue #12 December 2013 Page 5
Dont be speared this Christmas
Cyber intruders use seasonal themes to entice
readers to open emails containing malware. These
socially engineered e-mails are the most common
intrusion technique observed by ASDs Cyber
Security Operations Centre. Socially engineered
(or spear-phishing) e-mails contain tailored
content designed to entice the reader into opening
the message and once opened, the malicious
software can execute within the users system.
Socially-engineered e-mails are becoming more
sophisticated. Some are designed to cleverly mimic
well-known companies, government organisations
and fnancial institutions so that the reader
believes that it is genuine correspondence. Such
e-mails might also include personal information,
to make you trust their legitimacy. This holiday
season, its important to be extra vigilant
in the face of seasonal spear-phishing.
Socially-engineered e-mails contain content that
is tailored to attract you. Examples include:
An e-mail purporting to be from your
boss, or colleagues.
A message that appears to be from your bank,
insurance company, social media account or other
institution (it may even feature the same logo and
corporate stationery, designed to look offcial).
An e-mail with a subject line that might appeal
to your personal interests (for example, your
favourite sports team or a hobby).
The holiday season can be a busy and stressful time
of the year. Many socially-engineered e-mails use
content relating to current events (or at particular
times of the year) to deceive you into believing that
they are legitimate. For example, intruders use high
profle events such as the Group of Twenty (G20) to
target attendees before, during and after with email
subjects such as G20 Summit Update.
Similarly, the end of the calendar year can also
result in an increase in activity. E-mails offering
special holiday and Christmas deals, or seasonal
greetings, will undoubtedly begin to pile up in
your inbox- but beware messages purporting
to bear gifts. Dont drop your guard, and think
before you click.
Ask yourself:
Do you recognise the sender and their
email address?
Is the tone consistent with what you
would expect from the sender?
Is the sender asking you to open an
attachment or access a website?
Useful References
ASD has published Detecting Socially-Engineered
E-mails, an advisory designed for all users.
For more information, please visit asd.gov.au
Issue #12 December 2013 Page 6
UPDATE:
New Apple Operating
System iOS 7
In September this year, Apple
announced the offcial release of
the latest operating system for
Apple devices - iOS 7. As per usual
practice, iOS 6 will no longer be
available for download as a result.
ASD is currently evaluating iOS 7.
In the interim, ASD advises the
following:
a. Upgrade to iOS 7. Even though
iOS 7 is not yet evaluated, this
version does provide security
enhancements. This is consistent
with ASDs advice to install
the latest versions of software
and patch operating system
vulnerabilities as communicated
in the Australian Government
Information Security Manual
and Strategies to Mitigate
Targeted Cyber Intrusions.
b. Implement the current iOS
Hardening Confguration Guide
for iOS 7. The existing guide
is applicable to iOS 7. ASD will
release an updated guide for
iOS 7 as soon as possible. The
updated guide will contain
additions in response to new
features, rather than wholesale
changes to the existing advice.
c. Take interim steps to address
new security risks. The details
and links are featured in ASDs
publication: Advice on Apple
Release of iOS 7.
The publications ASD Advice
on Apple Release of iOS 7,
the Australian Government
Information Security and
Strategies to Mitigate Targeted
Cyber Intrusions can be found on
the ASD website at asd.gov.au
ASD Contact Details
For non-urgent and general ICT security enquiries:
Email: asd.assist@defence.gov.au
For urgent and operational government ICT security matters:
Phone: 1300 CYBER1 (1300 292 371), select 1 at any time OR
Complete the cyber security incident report form at www.asd.gov.au