G20 Cyber Security Advice

Download CSOC Protect Notice, G20 Cyber Security Advice (490K PDF), November 2013

Introduction

  1. Targeting of high profile events such as the G20 by state-sponsored or other foreign adversaries, cyber criminals and issue-motivated groups is a real and persistent threat. The information contained on government systems, whether classified or unclassified, is of strategic interest to cyber adversaries. Information gathered through cyber espionage can be used to gain an economic, diplomatic or political advantage.
  2. There are many examples of entities being targeted due to their involvement in high profile events. In November 2012, Association of Southeast Asian Nations (ASEAN)-themed malicious emails were sent targeting Australian government agencies in an attempt to compromise their networks and obtain sensitive information. These emails appeared to come from entities associated with ASEAN events.
  3. In July-August 2013, Asia-Pacific Economic Cooperation (APEC) and G20-themed malicious emails were sent to multiple Australian government agencies from webmail accounts misrepresenting persons and organisations having an association to these events.
  4. As of 1 December 2013, Australia assumes chairmanship of the G20 for 2014. Australian networks will consequently become a more attractive target for cyber espionage or attack.
  5. It is important to be aware of malicious activities, such as the ones listed above. There are some simple steps that all users can take to reduce the risk of cyber espionage.

Socially-engineered emails – think before you click

  1. The most common technique used to gain access to government information and networks is the socially-engineered email. It is common for G20-related emails to be sent to a broad range of Australian government departments before, during and after the event. The aim of malicious cyber actors is to gain access to information any way possible. These adversaries look for a weak link to try and break into a network. It is important to remember that you may be targeted even if you are not directly involved with the event.
  1. If you suspect you have received a socially-engineered email you should ask yourself some questions before opening the email:
    1. Is the email from a trusted source?
    2. Is the manner in which the email is written consistent with what you expect from the sender?
    3. Is the sender encouraging you to download a file, open an attachment or visit a website for further information?
  2. Here are a few tips to defeat the socially-engineered email threat:
    1. If you have any doubt about the legitimacy of an email, you can check the authenticity by giving the sender a quick call.
    2. Never click on a link in an email. You can hover your cursor over the link to see whether the actual link matches that inserted into the email. Preferably, you should type or copy and paste the link into your internet browser.
    3. Be aware of unusual file types, for example .jar and .exe, and do not open them if they are not what you were expecting.
  3. Signs that you may have inadvertently opened a malicious document include:
    1. An attachment that contains no content or flickers or flashes when opened
    2. Opening a web link that directs you to a website with limited or unexpected content
    3. Dialogue boxes that close before you have had a chance to read them.
  4. To help ensure the legitimacy of your email communications, if available, take the option to digitally sign your emails when communicating externally as part of your G20 duties. If you suspect that you’ve been the target of a socially-engineered email, do not delete or forward the email. Rather, contact your ICT security team immediately and provide them with the details they request.

Using webmail for government business – do you need to be mobile?

  1. Web-based email (webmail) is email accessed using a web browser, such as Gmail, Hotmail or Yahoo Mail. You should avoid using webmail for business purposes, especially when communicating official or sensitive government information. This includes communicating unclassified information. This is because webmail will bypass the security controls which your ICT security team have put in place. They will have no visibility of, or ability to protect, the information that is shared through such email accounts.
  2. If you are involved in the G20 as a delegate or organiser, and need to be mobile in support of your official duties, please discuss possible secure access solutions with your ICT security team.

Removable media and mobile devices – if it’s not yours, don’t use it!

  1. Removable media (eg, USB flash drives, CD/DVD disks) and mobile devices (eg, smartphones and tablets) can be inadvertently or intentionally contaminated with malicious software.
  2. Gifting. It is common to receive small gifts, such as removable media in the form of a USB device from stakeholders, when attending events, including those which comprise the G20. People with a malicious intent may use these opportunities to gift electronic devices that are preloaded with malicious software. When these devices are used or connected to an Australian government network or personal device, malicious software may install and run, which can allow the theft of official or sensitive data.
  3. Gifted electronic devices should not be used and should be handed in to ICT security staff as soon as possible. Your ICT security team has the ability to scan removable media to make certain there is no hidden malicious software.
  4. Some tips to reducing the risk associated with removable media and mobile devices include:
    1. Do not accept complimentary or promotional removable devices.
    2. Do not offer or allow another unauthorised person to insert any removable media or mobile electronic device into a computer that connects to important information or any government network.
    3. Where possible, only insert your removable media or mobile devices on trusted computers. In some cases, by inserting these devices into an unknown computer, there is a chance a virus exists on that computer which could be transferred to your removable media, or vice versa.
    4. When charging mobile devices you should only use a trusted computer to connect to the device charger.
    5. Maintain physical control over your mobile devices (whether they are your own or agency-issued), not only to minimise the risk of theft or loss, but also to protect the confidentiality of information stored on the device.

Connecting to public networks – what are you communicating?

  1. Savvy cyber intruders have been known to exploit hotel or conference facility networks to gain access to mobile devices. Avoid communicating any official or sensitive information on devices that are not connected to a secure network. Where possible, try to avoid using hotel internet kiosks and internet cafes to send or receive important data. Do not connect to open Wi-Fi networks for business purposes. Only wireless communications that are needed and can be secured should be enabled.
  2. Avoid or limit the use of wireless networks. Where possible, Australian Government staff are encouraged to use a Virtual Private Network to connect to their organisations’ secure network.

Internet presence including social media – who can see your information?

  1. Users of social media need to be aware that they will be an attractive target to adversaries through their online presence. Users posting information about their G20 involvement could unknowingly provide people with information that can be used to elicit government information from them or to tailor social engineering campaigns to compromise an agency network. Users should assume everything posted on social networking websites is permanent. Be aware that online professional profiles, such as being listed on the Australian Government Directory, can present a similar risk.
  2. To prevent being a target of a socially-engineered campaign users should:
    1. Carefully consider the type and amount of information posted
    2. Restrict the amount of personal information posted
    3. Consider limiting access to posted personal data to 'friends only'.

Further information

  1. This document draws from the advice contained in ASD’s Protect publications, in particular:

Contact

If you have any questions regarding the security of your information or devices, you should contact your ICT security team in the first instance.

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Customers requiring specific G20 information should contact the G20 Taskforce.