Government agencies ordered to block online ads, Flash

Web browsers on Australian government workstations should, by default, be configured to block online ads, Adobe Flash and Java.

The new security controls — which have been given the priority of “Must” — apply to all systems that deal with official government data, even if it is unclassified.

The controls are part of a major update to, and restructuring of, the government’s Information Security Manual, which for the first time has been officially published by the Australian Cyber Security Centre. The ACSC is overseen by the Australian Signals Directorate, and in previous years the ISM has been branded as an ASD document.

The new controls were “Added to address a gap in guidance on the hardening of web browsers,” a document accompanying the ISM states.

“By default, many applications enable functionality that is not required by users while security functionality may be disabled or set at a lower security level,” the latest edition of the ISM states.

“This is especially risky for key business applications such as office productivity suites, Portable Document Format (PDF) viewers, web browsers, common web browser plugins, email clients and software platforms that are likely to be targeted by an adversary.

To assist in minimising this security risk, the ACSC produces hardening guidance to assist in securely configuring key business applications. Further, to assist in securely configuring their applications, vendors may provide their own security guides.”

Patch your systems

Many of the updated controls are closely aligned with the ‘Essential Eight’: A list of ASD-endorsed mitigation strategies, including its ‘Top 4’ strategies which are, in theory at least, mandatory for government agencies to implement.

The Essential Eight are application whitelisting, application patching, configuring Microsoft Office macros to minimise risk, hardening user applications, restricting admin privileges, patching operating systems, using multi-factor authentication, and conducting daily backups of important information.

The list was published in February 2017; a parliamentary inquiry has previously recommended that implementation of the Essential Eight be made mandatory for Commonwealth organisations.

New controls added to the ISM state that agencies must patch or mitigate “extreme risk” vulnerabilities in operating systems and firmware “within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users”. High risk vulnerabilities must be patched with two weeks of being identified.

Where possible, a “centralised and managed approach” should be used for patching.

The ISM also states that operating systems that are “no longer supported by vendors with patches or updates for security vulnerabilities” are updated or replaced with supported versions.

Other new controls aimed at compelling implementation of the Essential Eight relate to maintaining secure backups of key data, including testing restoration processes at least annually.

Cloud security

There are a number of changes of controls relating to the use cloud computing services. Some reflect the ACSC formally taking on some of the ASD responsibilities relating to cyber security.

A new control formally kiboshes the use of public cloud for data that is classified as Secret or Top Secret: “If using outsourced cloud services for highly classified information, public clouds are not used.”

The Certified Cloud Services List (CCSL), custodianship of which is now the responsibility of ACSC, includes a number of offerings that have been assessed as suitable for use with information classified at the Protected level.

Currently, Microsoft, Macquarie Telecom, Dimension Data, Sliced Tech and Vault Systems  have CCSL-listed services certified for use with Protected data. Amazon Web Services and Google are also understood to be seeking Protected certification.

The CCSL was created as part of a 2015 update to the ISM. In 2016 the ISM was updated again, with the most significant changes relating to encryption and the expected threat from quantum computing.

Last year the ASD only released an updated to its controls manual, with the Department of Defence pushing backing the publication of a new edition of the ISM.

The ACSC said that the new edition of the ISM included changes to reflect updates to the Australian Government Security Classification Scheme, which will be be introduced as part of reforms to the government’s Protective Security Policy Framework. 

The document also reflects the shift from compliance concepts to of risk management concepts, the ACSC said.

“The ISM is the Australian government’s flagship document in supporting organisations to protect their information and ICT systems,” ACSC head Alastair MacGibbon.

“The ISM is updated regularly to make sure people are best equipped to tackle the security risks associated with prevailing cyber threats,” MacGibbon said in a statement.

“You’ll see the document has been streamlined, to remove duplication and make it easier to use. What hasn’t changed is each organisation’s responsibility to protect their people, information and assets.”