13 February 2017

ASD gets #saferinternetday ready with cyber-attack mitigation strategies

This article was written by Michael Swinson and James Patto.

February is shaping up to be a busy month for the Australian Signals Directorate (the ICT security arm of the Department of Defence) (ASD). Just in time for #saferinternetday (held on 7 February this year, the ASD has launched a new cyber security baseline document entitled ‘Strategies to Mitigate Cyber Security Incidents’ (SMCSI) and updated its self-published government guides on:

  • Detecting Socially-Engineered Emails;
  • Implications of Using Webmail for Government Business;
  • Security Tips for the Use of Social Media Websites;
  • Travelling Overseas with an Electronic Device; and
  • Multi-factor Authentication.

The SMCSI sets out a prioritised list of mitigation strategies for Australian government organisations and departments, which now addresses:

  • targeted cyber intrusions;
  • ransomware restricting or denying access to data or systems; and
  • external adversaries and malicious insiders who steal or destroy data (including intellectual property), IT infrastructure or systems.

A key amendment in the SMCSI compared to previous ASD guidance is the expanded focus on mitigation of ransomware threats and attacks by malicious insiders.

In addition to providing a number of mitigation strategies to address these risks, the SMCSI also provides details on suggested implementation order (based on the effectiveness of each of the mitigation strategies on a scale: Essential, Very Good, Good or Limited) and ranks potential user resistance to implementation, along with the upfront and ongoing costs of each strategy, on a high, medium and low basis.

The ASD has also produced a number of related documents which supplement the SMCSI and provide more detailed guidance on how to implement the mitigation strategies described in the SMCSI. This includes specific guidance on what the ASD has termed the ‘essential eight’ mitigation strategies. The essential eight expand on the ASD’s previous list of four core strategies and are divided into two categories:

  • Strategies to prevent malware from running – this covers application whitelisting, applying patches to fix known vulnerabilities in software applications, disabling untrusted macros, and user application hardening (e.g. blocking web browser access to certain legacy technologies such as Flash and Java)
  • Strategies to limit the extent of incidents and recover data – this covers restricting administrative access privileges, applying patches to fix known vulnerabilities in operating systems, using multi-factor authentication to control user access, and making daily backups of important data

While no mitigation strategy will be foolproof, the ASD recommends that organisations follow the essential eight strategies in order to set a baseline level of protection, which the ASD considers will make it significantly less likely that protected systems will be compromised. Of course, it remains extremely important to prepare appropriate data breach and cyber-attack response procedures (including a clear hierarchy of responsibility) to ensure that when the attack occurs:

  • time and resources are spent efficiently and effectively to resolve to issue with minimal damage to the organisation; and
  • to the extent that they apply, legislative data breach notification obligations are adhered to (in this regard, Australia’s long-anticipated mandatory data legislation passed the House of Representatives this week).

Compliance with the ASD essential eight mitigation strategies will become mandatory for all Commonwealth government agencies if they are included in the Attorney-General’s protective security policy framework (which currently only covers the ASD’s previous ‘top four’ strategies). In any case, the ASD’s recommendations are an excellent reference point for private sector organisations seeking to stress-test their own cybersecurity strategies. Certainly the latest updates from the ASD serve as a useful reminder that risk mitigation strategies must be continually reassessed in order to cope with continually changing and developing security threats.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Now is the time to engage with the Consumer Data Right participant accreditation process if your organisation wants to be in a position to receive CDR data on behalf of CDR consumers.

    18 February 2020

    5G, the next evolution of mobile technology, has already landed in Australia with both Telstra and Optus recently launching 5G products in selected areas. When it is fully rolled out, 5G has the...

    23 September 2019

    The CDR is coming to the energy industry and it has the power to fundamentally change the way the energy industry manages and controls consumer data.

    06 September 2019

    On 26 July 2019, the Federal Government released the ACCC’s final report on the Digital Platforms Inquiry.

    01 August 2019

    You may also be interested in...

    Legal services for your business

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.