Managing Cyber Security in an Increasingly Interconnected World
Assistant Secretary Cyber Security Joe Franzi's address to CeBIT Cyber Security Conference, Sydney Olympic Park, 5 May 2014
It’s great to be back here at CeBit again in 2014.
I have a lot of new ground to cover so let me get straight into what I will be sharing with you today:
- a quick rundown on the latest from the cyber threat environment
- ASD’s four P’s of BYOD
- the big movers and shakers in tackling cyber intrusions
- the current resourcing climate in ICT security, and
- the current status of the Australian Cyber Security Centre.
New from the threat environment
So let me begin with some of the latest threat information, based on what we are observing in the Cyber Security Operations Centre, or CSOC.
To help paint the threat picture, I will kick off with some stats:
- In 2011, 1259 cyber security incidents were detected by or reported to the Cyber Security Operations Centre within ASD.
- In 2012, this figure jumped by 42% to 1790.
- In 2013, this increased again to 2148 incidents.
So you don’t have to be a genius to see that trend keeps going up. And we do not expect this to change.
Of the incidents we attribute to an actor or group of actors, state-sponsored actors are the most active. They are also the most sophisticated and best resourced adversaries.
State-sponsored adversaries are looking for information on Australia’s business dealings, its intellectual property, its scientific data and the government’s intentions.
The five most commonly targeted sectors in industry that we at ASD see, in no particular order, are:
- mining, resources and energy
- banking and finance
- defence capability and defence industry
- telecommunications sectors
- technology sectors.
Targeted socially-engineered emails remain the biggest intrusion technique. These made up 56% of cyber security incidents dealt with by the CSOC last year. So while it is still the technique of choice for intruders, it is in fact down from 63% in 2012 and 79% in 2011.
What we are seeing are changes to the attack surface.
In 2013, the amount of drive-by download activity observed by the CSOC increased. This is when adversaries place malware on a legit website hoping that users will inadvertently download the malware.
The adversary can then employ the ‘watering hole technique’ by choosing a website that their targeted victim has a valid business reason to visit, creating a targeted drive-by download.
We at ASD have released advice titled Protecting Web Applications and Users. This is technical guidance for improving web application security through implementing web browser-based mitigations. The Top 4, fifth and seventh Strategies to Mitigate Targeted Cyber Intrusions will also help tackle drive-by downloads.
Attack techniques are changing because technology is changing.
Intruders will adapt to the security landscape, so it is important for security efforts to be equally adaptive.
We at ASD recognise this, and we regularly publish and update our advisories and publications to ensure that they are relevant to and effective against current threats.
Four P’s of BYOD
I will now move from current threats to current opportunities.
Most of you will be aware of the advantages that a Bring Your Own Device or BYOD scheme can provide. These include flexibility, initial cost reductions and the ability to embrace the latest technology.
However, BYOD also introduces new risks to an organisation's business and the security of its information. So we need to carefully consider the opportunities and risks before implementation.
Before I get into the four P’s I mentioned in my introduction, there are three key initial considerations to be explored before you even to attempt to delve into the murky waters of BYOD.
What are the legal implications?
Legislation such as the Privacy Act, Archives Act and Freedom of Information Act can affect whether an organisation is able to implement BYOD in their environment. If so, what controls need to be implemented to ensure all legal obligations can be fulfilled?
BYOD can increase liability risk to an organisation. Organisations will need to be ready to manage issues such as:
- software licencing
- inadvertent damage to an employee's personal data
- expectations of privacy in the event of an investigation
- Freedom of Information request or incident response.
What are the financial implications?
Organisations implementing BYOD may benefit from reduced hardware costs if employees pay for their own devices. However, there can be an overall cost increase as a result of:
- the need to technically support a variety of devices
- to manage security breaches
- to cover some costs associated with the employee's device.
What are the security implications?
Devices storing unprotected sensitive data could be lost or stolen.
Employees also often use corporately unapproved applications and cloud services to handle sensitive data.
An organisation may have reduced assurance in the security of devices that are not corporately managed.
Employees will often lack the IT knowledge and motivation to reduce security risks to their devices.
So, after these initial considerations are pondered, you can adopt ASD’s four P’s model:
The first step is establishing a purpose. Organisations need to have a strong business case to establish an enterprise mobility scheme.
A change in work practices will mean a change in risk profile. Organisations should use a risk management process to balance the benefits of BYOD with associated business and security risks.
Consider the benefits, the risks, and the resources that will be required, and whether enterprise mobility will enhance users’ ability to do business.
The second step is planning. It is crucial you take the time to get this right.
You need to consider the different options available and make an informed risk-based decision.
Once you have decided who you are trying to ‘make mobile,’ the next questions should be what information do they need access to, and how are they going to access it.
The third step is to develop and communicate your policy. This includes education and training on what data can be accessed, stored and communicated to which devices and by which applications.
A key aspect of this stage is your acceptable use policy. This is what communicates your expectations on employee behaviour, including what risk management controls they need to apply on your behalf.
Be consultative in your approach – effective policies are jointly developed by business and legal representatives, IT security staff, system administrators and employees themselves. This helps ensure your organisation develops a realistic policy and processes which all stakeholders are willing to adhere to.
Finally, you need to continually polish your program and review your usage policies.
This is more than just ongoing management and technical support. It requires monitoring of the scheme, including reviewing of various logs.
You need to have regular reporting to senior management to help them understand and address unacceptable risks. This will allow senior management to assess whether the benefits of enterprise mobility to the organisation justify the risks and costs.
There are many considerations when weighing up the pros and cons of an enterprise mobility solution. There is plenty of additional detailed information and guidance available on the ASD website.
To help you in considering these risks, we’ve published some advisories on BYOD schemes. The first is a comprehensive document, Risk Management of Enterprise Mobility including Bring Your Own Device.
This guide provides detailed discussion on all of the considerations I have just mentioned. In addition to this, risk management controls are also provided.
Latest Strategies to Mitigate Targeted Cyber Intrusions
I will now address the latest update to 2014’s Strategies to Mitigate Targeted Cyber Intrusions.
I wanted to update you on this year’s version and highlight some of the big movers and shakers in this year’s list.
Like a bullet
One of the biggest movers is strategy number 5, which has shot up 13 places from the previous version.
Strategy 5 is ‘User application configuration hardening’.
You may have noticed media coverage this past year about Java vulnerabilities.
This strategy addresses intrusions that exploit the prevalence of Java vulnerabilities or involve malicious macro code in Microsoft Office files.
Additional technical guidance is provided to enable organisations to continue using Java for business purposes while minimising their risk.
This mitigation strategy significantly helps to reduce the attack surface.
Specifically, it helps mitigate intrusions that involve malware that attempts to evade application whitelisting.
Also up this year from 21 into number 7 is ‘operating system generic exploit mitigation’.
This has leapfrogged up the rankings due to the increased support and proven effectiveness of Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET) software tool. In particular its effectiveness at mitigating vulnerabilities that were not publicly known at the time.
New in 2014
We also have a new strategy this year, which has made a strong debut at number 6, ‘Automated dynamic analysis’.
Dynamic analysis uses behaviour-based detection capabilities instead of relying on the use of signatures. This enables organisations to detect malware that has yet to be identified by vendors.
When organisations perform automated dynamic analysis of email and web content run in a sandbox, they are able to detect suspicious behaviour including network traffic, new or modified files, or other configuration changes.
As I said before – intruders can adapt to the threat landscape. So have we.
Debate – the human factor
For some time, one point of interest has been our inclusion of user education into our strategies document. User education brings the human factor into a largely technical document.
There is debate in the community over the effectiveness of user education as opposed to the effectiveness of technical controls.
The fact that we at ASD would include a behavioural strategy into our technical advice is testament to our holistic view of cyber security.
User education is a part of the puzzle.
Yes, there are incidents that even a highly educated user would not detect. However, in order to see cultural change in organisations, end users need to be educated and encouraged to detect and report incidents to their ICT security teams.
While a lot of our processes are now carried out by computers, we have to remember that there is a human directing, clicking and programming their actions.
Rather than debating which technique is better, we as a community need to embrace both technical and behavioural techniques to secure our data and networks.
No ‘diet Top 4’
With the move to bring more government services online, the need to secure personally identifiable information has never been more important.
As organisations grapple with combating the expanding sophistication of malicious cyber activities, delivering resilience and adaptability is a challenge for many.
Reflecting back on 2013, ASD’s Top 4 mitigation strategies have continued to prove their effectiveness as the best option for your agency in mitigating targeted cyber intrusions, based on the incidents the Cyber Security Operations Centre responded to.
I have recently been asked whether there is a softened, 'lite' version of the Top 4?
The simple answer to this is that there is no 'diet Top 4'.
Based on ASD's technical and operational experience in cyber security, the Top 4 remain the most effective 'bang for buck' defence when implemented as a package.
This has been supported by research from Microsoft and the SANS Institute, which has published a revised version of the 20 Critical Controls following the release of ASD's updated 2014 Strategies to Mitigate Targeted Cyber Intrusions.
Like all aspects of security, there is a cost – but agencies need to weigh up the risks and address their own security culture.
The Top 4 should form an integral part of every agency's cyber security foundation.
Implementing the Top 4 mitigation strategies can be achieved gradually, firstly on workstations of users who are most likely to be targeted by cyber intrusions, and then implementing them on all workstations and servers.
Once this is achieved, organisations can selectively implement additional mitigation strategies to address security gaps until an acceptable level of residual risk is reached.
Of course, not all networks are the same – but to help in ensuring that networks have strong, consistent and effective defences, ASD publishes a range of technical advisories for different audiences.
The recent release of the ASD Protect The Top 4 in a Linux Environment is an excellent example of how ASD recognises the practicalities of implementing the mitigation strategies across different operating environments, and offers effective advice without compromising on security or offering a watered down 'lite' solution.
So I think that we can all agree that malicious cyber activity is a major security threat facing Australia. It is time to get serious – all organisations are targets.
Eliminating cyber security threats is impossible, so protecting against them should be a priority.
A fortress mentality will not prevent compromises or breaches from happening. We need to move from protecting the perimeter to protecting data.
The Top 4 are now mandatory for federal government departments under the Protective Security Policy Framework.
But sound advice is just sound advice if it is not effectively implemented.
Cyber security must be addressed at the most senior levels: given the increasing complexity and speed of cyber security threats, organisations must adopt approaches to cyber security that will require much more engagement from the CEO and other senior executives to protect critical information without constraining innovation and growth.
As senior executives, we are key in leading the charge in strengthening the security posture of our organisations.
We need to move to a business-driven cyber security model.
Cyber security needs to be a key part of business strategy rather than IT governance.
It really is up to organisational leaders to enable and resource their ICT security staff and programs to implement secure practices now, but also incorporate security into future projects and planning.
While most IT departments as a whole are reasonably well resourced, generally speaking IT security teams are not reflecting a comparative level of resourcing.
Few organisations have the systems or resources to detect and stop targeted malicious cyber activity. The challenge now is for organisations to adequately resource their IT security departments to effectively implement the Top 4 strategies and other appropriate security controls and measures.
While each organisation needs to make a risk-based decision in terms of staffing, what I can say is that zero staff is definitely wrong!
Implementing the Top 4 will make your agency a really hard target for malicious cyber actors. Attending to it is senior leader business.
What’s more, implementation of the Top 4 will allow us at ASD to focus on the highly sophisticated threats, as these are the most severe we face.
Industry can help. For advice and assistance beyond our Protect products, you can engage an ASD Information Security Registered Assessors Program (IRAP) assessor.
Australian Cyber Security Centre
These organisations demonstrate how effective collaboration between industry and government can be. Which leads me to my final topic, the ACSC.
Set to open in the second half of this year, the new Australian Cyber Security Centre (ACSC) is the brightest light on our horizon.
For some years now, various parts of the Australian Government have been growing independent cyber security capabilities. This is understandable when a new phenomenon, such as cyber, confronts a government.
But in doing so our resources were separated, and therefore have not been as efficient as they could be.
And with this separation there has been some confusion about who to call, whether you are from government or industry, when you have a cyber security issue.
In recognition of these circumstances, the government decided to locate our key cyber security capabilities in the one facility and establish the Australian Cyber Security Centre.
Its mission will be to lead the Australian Government’s efforts to:
- analyse threats to critical cyber and ICT infrastructure
- develop shared situational awareness across government and industry, and
- lead the national response to cyber security incidents.
73% of the centre will be Defence staff. The rest will be comprised of the cyber security capabilities from:
We will all be housed within the new Ben Chifley Building in Canberra. We will hopefully be getting the keys in the next few months. Once we get the keys we can begin the fit-out.
But it is important to understand that each contributing agency will maintain its current responsibilities, mandates and authorities under the law and to government.
So it is a colocation model, not an integration model.
This colocation will enable a more complete understanding of the cyber threat, facilitate more effective responses to serious cyber incidents and see a more coordinated interaction with international and industry partners.
The centre will be governed by the Cyber Security Operations Board (CSOB), chaired by the Secretary of the Attorney-General’s Department, who will advise the ministers.
The board has endorsed the governance arrangements and the concept of operations for the ACSC.
Because the centre is a colocation model it will not derive its benefits until all elements are in the Ben Chifley Building later this year.
The centre is very good news for Australia. But we need to see it as an evolutionary, rather than revolutionary, step.
The centre will help in facilitate higher-level sharing of information, which will inform policy and enhance coordinated operational responses.
The new Australian Cyber Security Centre is an important development for Australia, and we are going to take the time to get it right.
2014 has, is and will be a big year for cyber security in Australia, with the Australian Cyber Security Centre set to become operational by the end of the year.
My staff and I look forward to partnering with you as we work together in defeating the cyber threat.
I now welcome your questions.
Australian government agencies seeking further information should contact ASD.