Cyber Security for Contractors

Download ASD Protect: Cyber Security for Contractors (PDF), March 2017
Published March 2017; supersedes Cyber Adversaries Targeting Defence Contractors (2012)

Introduction

  1. Adversaries regularly target Australian Government information held by contractors, both classified and unclassified, in an attempt to gain an economic or strategic advantage.
  2. This document has been developed to assist contractors with appropriately securing Australian Government information on their systems.

Contractors hold valuable information

  1. Foreign intelligence services are the foremost cyber threat to Australia. Such adversaries seek both national security and commercial information to identify vulnerabilities in Australian capabilities or to further their own economic or strategic advantage.
  2. Contractors, both in Australia and overseas, have reported significant increases in malicious cyber activity against their systems and are priority targets for adversaries. Often the value to an adversary of the information contained on a contractor’s systems is not immediately evident. Unclassified information can still be sensitive; in particular, wholesale aggregation of unclassified information can present a threat to Australia’s interests.
  3. Examples of adversaries compromising contractors include the compromises of:
    1. US aerospace company Boeing, which resulted in gigabytes of information relating to 32 US projects, including information on the Lockheed Martin F-35 and F-22, as well as the Boeing C-17 aircraft, being sent to China.
    2. US security vendor RSA, which led to subsequent targeting of US defence contractors Lockheed Martin, L-3 Communications and Northrop Grumman. This cyber security incident is reported to have cost RSA USD90 million.
  4. Cyber intrusion techniques are many and varied. A common cyber intrusion technique used by adversaries is socially-engineered emails targeting high-ranking members of contractors and their support staff. These emails often aim to exploit common security vulnerabilities such as unpatched applications or operations systems, the use of similar passwords across systems, or the use of personal devices for work purposes. These emails may be sent directly from an adversary or from a supplier or sub-contractor that an adversary has already compromised in order to leverage a trusted relationship with their intended target.

Mitigation strategies

  1. To protect information provided by or developed for the Australian Government, contractors should implement the eight essential mitigation strategies from ASD’s Strategies to Mitigate Cyber Security Incidents. ASD considers this the cyber security baseline for organisations.
    1. Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
    2. Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with “extreme risk” vulnerabilities within 48 hours. Use the latest version of applications.
    3. Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in “trusted locations” with limited write access or digitally signed with a trusted certificate.
    4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
    5. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
    6. Patching operating systems. Patch/mitigate computers (including network devices) with “extreme risk” vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
    7. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high­availability) data repository.
    8. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
  2. Perform regular vulnerability assessments. It addition to implementing the eight essential mitigation strategies, systems should be regularly reviewed for security vulnerabilities, particularly after significant changes. Vulnerability assessments can be done in-house or by an independent provider using both automated and manual methods.
  3. Consider implementing and sustaining an education program for employees and sub­contractors. This will provide employees and sub-contractors with a better understanding of common cyber threats such as socially-engineered emails, malicious websites and the danger of poor password policies.
  4. Beware of malicious insiders. Adversaries will often attempt to influence contractors’ employees in an attempt to gain access to Australian Government information or to have them perform actions on a system to benefit their strategic goals. By conducting ongoing vetting of employees, especially for those with privileged access, controlling the ability to remove Australian Government information from systems, and implementing a comprehensive audit program, this risk can be lowered.
  5. Report cyber security incidents early and often. This includes informing the Australian Cyber Security Centre (ACSC) of any cyber security incidents that could potentially threaten Australian Government information. Seeking assistance early can mitigate or reduce a potentially dangerous and embarrassing compromise. By immediately informing parties such as CERT Australia or ASD within the ACSC, assistance can be provided without delay and will contribute to safeguarding Australian Government information.
  6. Use available cyber security resources. Initiatives such as the Defence Industry Security Program (DISP), and organisations such as CERT Australia and ASD, provide advice and assistance to contractors, with ASD publishing a range of cyber security products on their website.
  7. Sponsorship of Defence contractors into the DISP helps to ensure that Defence contractors provide, and are provided with, appropriate security guidance. Defence contractors with membership to the DISP also have access to the electronic Defence Security Manual (eDSM), which details the standards, processes and procedures that direct the application of protective security measures by Defence personnel and external service providers.

Further information

  1. See ASD’s Strategies to Mitigate Cyber Security Incidents and supporting publications.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.