This article was written by Michael Swinson and James Patto.
February is shaping up to be a busy month for the Australian Signals Directorate (the ICT security arm of the Department of Defence) (ASD). Just in time for #saferinternetday (held on 7 February this year, the ASD has launched a new cyber security baseline document entitled 'Strategies to Mitigate Cyber Security Incidents' (SMCSI) and updated its self-published government guides on:
- Detecting Socially-Engineered Emails;
- Implications of Using Webmail for Government Business;
- Security Tips for the Use of Social Media Websites;
- Travelling Overseas with an Electronic Device; and
- Multi-factor Authentication.
The SMCSI sets out a prioritised list of mitigation strategies for Australian government organisations and departments, which now addresses:
- targeted cyber intrusions;
- ransomware restricting or denying access to data or systems; and
- external adversaries and malicious insiders who steal or destroy data (including intellectual property), IT infrastructure or systems.
A key amendment in the SMCSI compared to previous ASD guidance is the expanded focus on mitigation of ransomware threats and attacks by malicious insiders.
In addition to providing a number of mitigation strategies to address these risks, the SMCSI also provides details on suggested implementation order (based on the effectiveness of each of the mitigation strategies on a scale: Essential, Very Good, Good or Limited) and ranks potential user resistance to implementation, along with the upfront and ongoing costs of each strategy, on a high, medium and low basis.
The ASD has also produced a number of related documents which supplement the SMCSI and provide more detailed guidance on how to implement the mitigation strategies described in the SMCSI. This includes specific guidance on what the ASD has termed the 'essential eight' mitigation strategies. The essential eight expand on the ASD's previous list of four core strategies and are divided into two categories:
- Strategies to prevent malware from running – this covers application whitelisting, applying patches to fix known vulnerabilities in software applications, disabling untrusted macros, and user application hardening (e.g. blocking web browser access to certain legacy technologies such as Flash and Java)
- Strategies to limit the extent of incidents and recover data – this covers restricting administrative access privileges, applying patches to fix known vulnerabilities in operating systems, using multi-factor authentication to control user access, and making daily backups of important data
While no mitigation strategy will be foolproof, the ASD recommends that organisations follow the essential eight strategies in order to set a baseline level of protection, which the ASD considers will make it significantly less likely that protected systems will be compromised. Of course, it remains extremely important to prepare appropriate data breach and cyber-attack response procedures (including a clear hierarchy of responsibility) to ensure that when the attack occurs:
- time and resources are spent efficiently and effectively to resolve to issue with minimal damage to the organisation; and
- to the extent that they apply, legislative data breach notification obligations are adhered to (in this regard, Australia's long-anticipated mandatory data legislation passed the House of Representatives this week).
Compliance with the ASD essential eight mitigation strategies will become mandatory for all Commonwealth government agencies if they are included in the Attorney-General's protective security policy framework (which currently only covers the ASD's previous 'top four' strategies). In any case, the ASD's recommendations are an excellent reference point for private sector organisations seeking to stress-test their own cybersecurity strategies. Certainly the latest updates from the ASD serve as a useful reminder that risk mitigation strategies must be continually reassessed in order to cope with continually changing and developing security threats.