avatar

The Irrational Security Monologue

← Back to Blog Home Published by: Joffy, Category: Information Security, Views: 1273, Published: 2016-07-30

ISM2016 May Release - The Good, the Bad and the Ugly

The shiny new 2016 ISM has been out for a couple of months now and everyone has had a good chance to work with it. I see a few people using my ISM Comparison Tool to get a bit of an idea on what's changed between versions but it only gives you half the picture.

Below is my take on the ISM. I spotted some interesting changes and some 'quirks' while transcribing it from the released PDF and XML files that ASD kindly sent me. These files were used as source to convert the ISM into my data format, which in turn feeds the tools on my website.

Above all else, don't shoot the messenger; If you don't find and identify flaws, you can never fix them.

The Good

First off this year's edition clearly had a massive amount of effort poured into it by the ISM policy team. It would seriously be a tough job to wrangle this beast of a document in all it's complexity whilst continually integrating content from Subject Matter Experts; and clearly they have the right team of people on it!

Very minimal actual errors were found in the document when compared to previous versions, if you have printed out your copy of the PDF and flipped through it, you'll be hard pressed to spot any errors at all.

Let's get straight into the good stuff.

Restructure

Several Sections have shifted about in the ISM for what I find is a much better grouping/flow; for a rundown on those edits check out the 2016 ISM Changes Document.XLSX avaliable from onSecure.

However, one move I'm not sure about yet is the Secure Administration Section, which is now its own Chapter within the Part Information Technology Security. Previously you would have found it within the Access Control Chapter from 2015.

Media Sanitisation

In short there's a new topic providing some great guidance on Encrypted Media and how you should handle it when sanitising. Using the flow-chart can give you a good indicator which of the three new ISM controls (1464, 1465, 1466) you need to apply in different circumstances.

ASD Approved Cryptographic Algorithms

Extra contextual changes has gone into this section of the ISM, specifically in relation to Committee on National Security Systems Advisory Memorandum (CNSSAM).

What is of interest to us is the addition of CNSS Advisory Memo 02-15 recommendations:

Algorithm Function Specification Parameters
Advanced Encryption Standard (AES) Symmetric block cipher used for information protection FIPS PUB 197 Use 256 bit keys to protect up to TOP SECRET.
Elliptic Curve Diffie-Hellman (ECDH) Key Exchange Asymmetric algorithm used for key establishment NIST SP 800-56A Use Curve P-384 to protect up to TOP SECRET.
Elliptic Curve Digital Signature Algorithm (ECDSA) Asymmetric algorithm used for digital signatures FIPS PUB 186-4 Use Curve P-384 to protect up to TOP SECRET.
Secure Hash Algorithm (SHA) Algorithm used for computing a condensed representation of information FIPS PUB 180-4 Use SHA-384 to protect up to TOP SECRET.
Diffie-Hellman (DH) Key Exchange Asymmetric algorithm used for key establishment IETF RFC 3526 Minimum 3072-bit modulus to protect up to TOP SECRET.
RSA Asymmetric algorithm used for key establishment FIPS SP 800-56B rev 1 Minimum 3072-bit modulus to protect up to TOP SECRET.
RSA Asymmetric algorithm used for digital signatures FIPS PUB 186-4 Minimum 3072 bit-modulus to protect up to TOP SECRET.

A brand new Control 1468 was added which encourages agencies to use the above algorithms to protect information. This information was also integrated into the table from Control 1231, which means this control was also revised - see The Ugly below.

The Bad

Well OK, these may not really be bad, I'm just going with a theme here...

Hardening SOE Configurations

Whilst this is a great addition to the ISM, I think Control 1467 has been slightly overcooked? My perspective on this control is that it could be reworded to be more descriptive of the intent, and leave the specific listing of software to the topic that contextualises it.

Currently Control 1467 reads as follows:

The latest releases of key business applications such as office productivity suites (e.g Microsoft Office), PDF readers (e.g. Adobe Reader). web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (Microsoft outlook) and software platforms (e.g. oracle Java Platform and Microsoft .NET Framework) should be used within SOEs.

We could just simplify this control by removing the specific software examples, and we end up with the following:

The latest releases of key business applications should be used within SOEs.

Much neater/better? You tell me.

Excel File

ASD were good enough to publish an Excel workbook with the ISM Controls called "2016_ISM_Controls_v1_07Jun16.xls", you can grab it from onSecure.

Quite a lot of controls were moved around in the 2016 release from 2015, and unfortunately it looks like the 2015 version was just edited. This means many of the controls are out of order, or are completely in the wrong section of the ISM. If you are after a more complete listing in excel format, you can go grab one using my Checklist Builder - It contains all classifications, not just the UD & P Controls.

XML File

The speed of which I was able to transcribe the ISM this year was directly attributed to ASD sending me a "file/save-as xml" version of the ISM; which was frankly just brilliant. The problems I found with the file really don't matter, but it's worth noting that the XML file ends prematurely on page 262 of the PDF, right in the middle of the Chapter Cross Domain Security and Gateways Section.

The Ugly

This year's edition, as I said before, has clearly had a massive amount of effort put into ensuring that the document was correct and true. There only remains a handful of small errors, which doesn't drastically impact the document. As I said above, if you were reading the Printed PDF you would almost never see them.

However, here they are:

Controls Updated without revision

Amazingly only ONE control slipped through the cracks and that's Control 1231; As outlined above the addition of CNSSAM recommendations to this controls table constitutes a change in the control guidance itself, however there was no recorded change in the revision from 1 to 2.

Missing Content

This old chestnut is still hanging around in the ISM, and I raised this with ASD after the 2015 Draft, the 2015 Release, the 2016 Draft and now with the 2016 Release; with any luck, somone will get annoyed and just fix it...

To add to this, we now have a 2nd 'missing content' candidate within the 2016 release, both of them are:

  1. The section Conducting Security Assessments or Audits (on page 51 of the PDF) has a new topic called Terminology. This topic has no content.
  2. The section Software Development is still missing a Context. The context for this section was published in the 2014 Release, but it went missing in 2015 and 2016 releases.
Australian Standards

This edition refers to a bunch of Australian Standards; whilst these standards are good as a reference, it's probably best to make sure they are actually still current.

Standard Number Standard Document Title Published Date Current Status (as of September 2016) Publisher URL
AS 11770.1:2003 Information technology - Security techniques - Key management - Framework 31st March 2003 Withdrawn (12/04/2016) SAI Global
HB 221:2004 Business Continuity Management 16th September 2004 Withdrawn (19/08/2013) SAI Global
HB 231:2004 Information security risk management guidelines 4th March 2004 Superseded by AS/NZS ISO/IEC 27005:2012 SAI Global

To me I expected that AS/NZS ISO/IEC 27005:2012 - Information technology - Security techniques - Information security risk management would have been included/used within the last few releases of the ISM, as it is the current standard. Here is the link on SAI Global

Formatting

With any large document, it's almost inevitable that formatting is going to go awry (or get missed).

  1. Extra blank pages? Yes we have one of those on page 116 of the PDF.

  2. Within the Media Sanitisation section (on page 145 of the PDF), "Hybrid hard drives" and "Solid state drives" are both weirdly formatted, I'm not sure if they are meant to be part of the Media in Devices topic or not. They read well enough to be their own Topic, so I have imported them as such. This formatting does not exist anywhere else in the ISM PDF.
  3. Everybody loves extra punctuation, so within the "Web-based email services" topic on page 180, we have: An Extra space "Allowing staff to access w eb-based email services..." and an Extra period "...malicious web mail attachments., which can be..." - easy fix.
  4. Missing punctuation? Yes we have that too, namely we have a few controls that are missing their colon ':' after the word 'control'. These are controls: 1002, 0500, 0501 (on page 258); control 0507 (on page 160). - Now that's just me being picky.
Spelling

I always need a spellchecker, as I'm terrible when it comes to smashing out words accurately; here is just a quick short list of what I spotted, valid or not:

  1. Page 5: [agencys' risk assessment] - the Agency has possession of the risk assessment, so perhaps [agency's risk assessment] is better?
  2. Page 44: [the occurence of] - missing an 'r' change to [occurrence]
  3. Page 51: [of asecurity assessment] - missing a space, change to [of a security assessment]
  4. Page 268: [then appliedx to mitigate] - remove the extra 'x' [applied to mitigate]

In all honesty, I cheated with the formatting and spelling errors by opening the PDF in Word and ran the default spellchecker - It should be as simple as that for future releases.

Hyperlinks

Now this is really splitting hairs, as I noticed that a significant number of hyperlinks within the document either:

  1. Target URL did not match the link text URL (eg: on page 209 you have the hyperlink Text:"http://www.asd.gov.au/publications/protect/stolen_credentials.htm." which the hyperlink points to Target: "http://www.asd.gov.au/publications/index.htm")
  2. Target URL was not actually a valid URL (extra periods, missing trailing slash etc.)
  3. Target page no longer exists (ie 404); really all of these should have been checked. I acknowledge that they may have disappeared since release,
  4. Target URL was incomplete where the link-text was complete (ie just points to the domain, and missing the full path, which is included as link-text). Great example of this is on page 8, hyperlink-text for [http://www.protectivesecurity.gov.au.], url-target goes to [http://www.] - your PDF reader may identify and fix this error, depending on what youre using.
  5. Missing the protocol (ie no http://, or https://) - me being picky, but depending on your pdf reader, this is handled differently and it's inconsistent with the rest of the PDF.

I don't think I need to list them all here; where possible I have tried to go through and fix all the hyperlinks when I imported the ISM. There is bound to be a few I have missed, if you spot them flick me an email and I'll update my source files.

Footnote

Thanks for reading through yet another post about the ISM. If you have any questions/comments/hatemail :-) send it all through to [email protected]

I'm really looking forward to hearing the direction ASD will be taking the ISM for 2017, changing its format or not, it's always something that can be improved on for the better.

.J

← Back to Blog Home