Purpose

The purpose of the Australian Government Information Security Manual (ISM) is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their systems and information from cyber threats.

Intended audience

The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cyber security professionals and information technology managers.

Authority

The ISM represents the considered advice of the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD). This advice is provided in accordance with ASD’s designated functions under paragraph (1)(ca) of section 7 of the Intelligence Services Act 2001.

The ACSC also provides cyber security advice in the form of Consumer Guides, Australian Communications Security Instructions and other cyber security-related publications. In these cases, device and application-specific advice may take precedence over the advice in the ISM.

Legislation and legal considerations

Organisations are not required as a matter of law to comply with the ISM, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. Furthermore, the ISM does not override any obligations imposed by legislation or law. Finally, if the ISM conflicts with legislation or law, the latter takes precedence.

While the ISM contains examples of when legislation or laws may be relevant for organisations, there is no comprehensive consideration of such issues.

Cyber security principles

The purpose of the cyber security principles within the ISM is to provide strategic guidance on how organisations can protect their systems and information from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond. Organisations should be able to demonstrate that the cyber security principles are being adhered to within their organisation.

Cyber security guidelines

The purpose of the cyber security guidelines within the ISM is to provide practical guidance on how organisations can protect their systems and information from cyber threats. These cyber security guidelines cover governance, physical security, personnel security, and information and communications technology security matters. Organisations should consider the cyber security guidelines that are relevant to each of the systems that they operate.

Frameworks

The risk management framework used by the ISM draws from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Within this risk management framework, the identification of security risks and selection of security controls can be undertaken using a variety of risk management standards, such as International Organization for Standardization (ISO) 31000:2018, Risk management – Guidelines. Broadly, the risk management framework used by the ISM has six steps: define the system, select security controls, implement security controls, assess security controls, authorise the system and monitor the system.

Define the system

Determine the value of the system, and the information it processes, stores and communicates, based on an assessment of the impact if it were to be compromised.

When embarking upon the design of a system, the value of the system, and the information it processes, stores and communicates, should be determined. This will ultimately guide activities such as the selection of security controls for the system and the level of residual risk that will be accepted before the system is authorised to operate.

For organisations that handle government information, the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (PSPF) provides guidance within Table 2 (Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals) of their Sensitive and classified information policy to assist in determining the impact of information compromise.

For organisations that do not handle government information, security controls marked as OFFICIAL and OFFICIAL: Sensitive can be used for a baseline level of protection while those marked as PROTECTED can be used for an increased level of protection.

Select security controls

Using a risk assessment, select security controls for the system and tailor them to achieve an acceptable residual risk.

While the cyber security guidelines don’t articulate discrete risk statements, each cyber security guideline discusses security risks associated with the topic it covers. Paired with these discussions are security controls that the ACSC considers to provide efficient and effective mitigations based on the value of a system, and the information it processes, stores and communicates.

While security risks are discussed in the cyber security guidelines, these should not be considered an exhaustive list for a specific activity or technology. As such, the cyber security guidelines provide an important input into each organisation’s risk identification and risk treatment activities however do not represent the full extent of such activities.

While the cyber security guidelines can assist with risk identification and risk treatment activities, organisations will still need to undertake their own risk analysis and risk evaluation activities due to the unique nature of each system, its operating environment and the organisation’s risk tolerances.

Implement security controls

Implement security controls and document how they are implemented within the system and its operating environment.

Once suitable security controls have been identified for a system, they should be implemented and documented within the system’s security documentation.

Assess security controls

Assess security controls for the system and its environment to determine if they have been implemented correctly and are operating as intended.

In conducting a security assessment, it is important that assessors and system owners first agree to the scope, type and extent of assessment activities such that any risks associated with the security assessment can be appropriately managed. To a large extent, the scope of the security assessment will be determined by the type of system and security controls that have been implemented for the system and its operating environment. However, value also exists in an unfettered search for security vulnerabilities within the system and its operating environment.

For TOP SECRET systems, security assessments can be undertaken by ACSC assessors or Information Security Registered Assessors Program (IRAP) assessors. While for SECRET and below systems, security assessments can be undertaken by an organisation’s own assessors or IRAP assessors. In all cases, assessors should hold an appropriate security clearance and have an appropriate level of experience and understanding of the type of system they are assessing.

At the conclusion of a security assessment, a security assessment report should be produced outlining the effectiveness of the implementation of security controls, the system’s strengths and weaknesses, any recommended remediation activities, and an assessment of security risks associated with the operation of the system.

Authorise the system

Authorise the system to operate based on the acceptance of the security risks associated with its operation.

Before a system is authorised to operate, an authorising officer should formally accept the security risks associated with its operation. In some cases however, security risks may be inadequately identified or security controls may be inadequately implemented. In such cases, the authorising officer may request further work be undertaken by the system owner. In the intervening time, the authorising officer may choose to authorise a system to operate for an interim period with caveats placed on its use.

For TOP SECRET systems, and systems that process, store or communicate sensitive compartmented information, the authorising officer is Director-General ASD or their delegate. While for SECRET and below systems, the authorising officer is an organisation’s CISO or their delegate.

For multinational and multi-organisation systems, the authorising officer should be determined by a formal agreement between the parties involved. While for commercial providers providing services to organisations, the authorising officer is the CISO of the supported organisation or their delegate.

In all cases, the authorising officer should have an appropriate level of seniority and understanding of security risks they are accepting on behalf of their organisation. In cases where an organisation does not have a CISO, the authorising officer could be a Chief Security Officer, a CIO or other senior executive within the organisation.

Monitor the system

Monitor the system, and associated cyber threats, security risks and security controls, on an ongoing basis.

Regular monitoring of cyber threats, security risks and security controls associated with a system and its operating environment is essential to maintaining its security posture. In doing so, specific events may necessitate additional risk assessments.

• changes in security policies relating to the system
• detection of new or emerging cyber threats to the system or its operating environment
• the discovery that security controls for the system are not as effective as planned
• a major cyber security incident involving the system
• major architectural changes to the system.

Following any additional risk assessments, and the implementation or modification of any security controls, a security assessment should be completed. Once the security assessment has been completed, an authorising officer should authorise the continued operation of the system if appropriate to do so.

Cyber security leadership

To provide cyber security leadership within organisations, it is important that each organisation appoints a Chief Information Security Officer (CISO).

Responsibilities

The CISO within an organisation is typically responsible for providing strategic-level guidance for their organisation’s cyber security program and ensuring compliance with cyber security policy, standards, regulations and legislation. They are likely to work with a Chief Security Officer, a Chief Information Officer and other senior executives within their organisation.

System ownership

System owners are responsible for ensuring the secure operation of their systems; however, system owners may delegate the day-to-day management and operation of their systems to system managers.

Responsibilities

System owners are responsible for obtaining authorisation to operate each of their systems.

Cyber security events

A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cyber security incidents

A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.

Detecting cyber security incidents

One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised capabilities.

The following table describes some of the data sources that organisations can use for detecting and investigating cyber security incidents.

In addition, logs created by various security tools and appliances such as antivirus software, content filters and host-based or network-based intrusion detection or intrusion prevention systems can be captured and correlated alongside other data sources.

Intrusion detection and prevention policy

Establishing an intrusion detection and prevention policy can increase the likelihood of detecting, and subsequently preventing, malicious activity on networks and systems.

• methods of network-based intrusion detection and prevention used
• methods of host-based intrusion detection and prevention used
• guidelines for reporting and responding to detected intrusions
• resources assigned to intrusion detection and prevention activities.

Access to sufficient data sources and tools

Many potential cyber security incidents are noticed by personnel rather than software tools. As such, successful detection of cyber security incidents is often based around trained cyber security personnel with access to sufficient data sources complemented by tools supporting both manual and automated analysis.

Cyber security incident register

The purpose of recording cyber security incidents in a register is to highlight their type and frequency so that corrective action can be taken. This information, along with information on the costs of any remediation activities, can also be used as an input to future security risk assessments.

Handling and containing data spills

When a data spill occurs, organisations should inform information owners and restrict access to the information. In doing so, affected systems can be powered off, have their network connectivity removed or have additional access controls applied to the information. It should be noted though that powering off systems could destroy information that would be useful for forensic investigations. Furthermore, users should be made aware of appropriate actions to take in the event of a data spill such as not deleting, copying, printing or emailing the information.

Handling and containing malicious code infections

Taking immediate remediation steps after the discovery of malicious code can minimise the time and cost spent eradicating and recovering from the infection. As a priority, all infected systems and media should be isolated to prevent the infection from spreading further. Once isolated, infected systems and media can be scanned by antivirus software to potentially remove the infection. It is important to note though, a complete operating system restoration from a known good backup or reinstallation is the only reliable way to ensure that malicious code can be truly eradicated.

Allowing targeted cyber intrusions to continue

When a targeted cyber intrusion is detected, organisations may wish to allow the intrusion to continue for a short period of time in order to understand its extent. Organisations allowing a targeted cyber intrusion to continue on a system should establish with their legal advisors whether the actions are breaching the Telecommunications (Interception and Access) Act 1979.

Post-incident analysis

Post-incident analysis after a targeted cyber intrusion can assist in determining whether an adversary has been removed from a system. This can be achieved, in part, by conducting a full network traffic capture for at least seven days. Organisations should then be able to identify anomalous behaviour that may indicate whether the adversary has persisted on the system or not.

Integrity of evidence

When gathering evidence following any form of cyber security incident, it is important that its integrity is maintained. Even though an investigation may not directly lead to a law enforcement agency prosecution, it is important that the integrity of evidence such as manual logs, automatic audit trails and intrusion detection tool outputs be protected.

If the Australian Cyber Security Centre (ACSC) is requested to assist in investigations, the ACSC requests that no actions which could affect the integrity of evidence be carried out before the ACSC becomes involved.

Reporting cyber security incidents

Reporting cyber security incidents to an organisation’s Chief Information Security Officer (CISO), or one of their delegates, as soon as possible after they occur or are discovered provides senior management with the opportunity to assess damage to systems and their organisation, and to take remedial action if necessary, including seeking advice from the ACSC.

Reporting cyber security incidents to the ACSC

The ACSC uses the cyber security incident reports it receives as the basis for providing assistance to organisations. Cyber security incident reports are also used by the ACSC to identify trends and maintain an accurate threat environment picture. The ACSC utilises this understanding to assist in the development of new or updated cyber security advice, capabilities and techniques to better prevent and respond to evolving cyber threats. Organisations are recommended to internally coordinate their reporting of cyber security incidents to the ACSC.

Information technology services

Information technology services encompass business process services, application processes and infrastructure services. The range of information technology services that can be outsourced is extensive.

Cloud services

The terminology and definitions used in this section for cloud services are consistent with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145, The NIST Definition of Cloud Computing. This section also applies to cloud services that have a payment model which differs to the NIST pay-per-use measured service characteristic.

Outsourced gateway and cloud services

Commercial and government gateway and cloud services selected by the Australian Cyber Security Centre (ACSC) will need to undergo regular security assessments to determine their security posture and security risks associated with their use.

Using outsourced information technology and cloud services

Outsourcing can be a cost-effective option for providing information technology and cloud services, as well as potentially delivering a superior service; however, it can also affect an organisation’s security risk profile. A risk assessment can assist in identifying and managing jurisdictional, governance, privacy and security risks associated with the use of such services. The use of gateways or cloud services listed on the ACSC’s list of certified gateways or the ACSC’s Certified Cloud Services List can also assist in managing such risks. However, organisations will still need to decide whether a particular outsourced information technology or cloud service represents an acceptable risk and, if appropriate to do so, authorise it for their own use.

Foreign owned service providers and offshore services

Outsourced information technology or cloud services located offshore may be subject to lawful and covert collection, without an organisation’s knowledge. Additionally, use of offshore services introduces jurisdictional risks as foreign countries' laws could change with little warning. Finally, foreign owned service providers operating in Australia may be subject to a foreign government’s lawful access.

Contractual arrangements

Obligations for protecting information are no different when using an outsourced information technology or cloud service than using an in-house service. As such, the contract or service agreement between an organisation and a service provider should address mitigations to security risks. Otherwise, an organisation only has service provider promises that can be hard to verify and may be unenforceable.

Data ownership

Although data ownership resides with an organisation, this can become less clear in some circumstances, such as when legal action is taken and a service provider is asked to provide access to, or data from, their assets. To mitigate the likelihood of data being unavailable or compromised, organisations can explicitly retain ownership of their data through contract provisions.

Supply chain integrity

Organisations should determine whether measures need to be taken to mitigate the cyber threats arising from potential supply chain exploitation. In doing so, they should consider security risks that arise as systems and software are being built and delivered, as well as the degree of security risk that a particular supplier may introduce into the delivery of a contracted service. The globalised nature of information technology increases the difficulty in evaluating supply chain integrity. Adopting a risk-based approach will assist in circumstances where organisations are not able to acquire all the information necessary to do a complete security risk assessment.

Security documentation

Security documentation supports the accurate and consistent application of policies, processes and procedures. It is important that security documentation is developed by personnel with a good understanding of security matters, the technologies being used and the business requirements of the organisation and system owners.

The System Security Plan (SSP) and Incident Response Plan (IRP) form a documentation suite for a system, it is essential that they are logically connected and consistent. Furthermore, it is important that security documentation for systems are logically connected to organisational-level security documentation such as a cyber security strategy.

Security documentation may be presented in a number of formats including dynamic content such as wikis, intranets or other forms of document repositories.

Approval of security documentation

If security documentation is not approved, personnel will have difficulty ensuring appropriate policies, processes and procedures are in place. Having approval not only assists in the implementation of policies, processes and procedures, it also ensures personnel are aware of cyber security issues and security risks. As such, it is important that once security documentation has been approved it is published and communicated to all personnel.

Maintenance of security documentation

Threat environments are dynamic. If security documentation is not kept up-to-date to reflect the current threat environment, security controls and processes may cease to be effective. In such a situation, resources could be devoted to areas that have reduced effectiveness or are no longer relevant.

System Security Plan

The SSP provides a description of a system and includes an annex that describes the security controls that have been identified and implemented for the system.

• cyber security teams within the organisation
• project teams who deliver the capability (including contractors)
• support teams who operate and support the capability
• owners of information to be processed, stored or communicated by the system
• users for whom the capability is being developed.

Depending on the documentation framework used, some details common to multiple systems could be consolidated in a higher-level SSP.

Incident Response Plan

Having an IRP ensures that when a cyber security incident occurs, a plan is in place to respond appropriately to the situation. In most situations, the aim of the response will be to prevent the cyber security incident from escalating, restore any impacted system or information, and preserve any evidence.

Depending on the documentation framework used, some details common to multiple systems could be consolidated into a higher-level IRP.

Certification and accreditation authorities

Information on the certification and accreditation authorities for physical security are outlined in the Attorney General's Department (AGD)'s Protective Security Policy Framework (PSPF), Entity facilities policy.

Facilities containing systems

The application of defence-in-depth to the protection of systems is enhanced through the use of successive layers of physical security. The first layer of security is the use of Security Zones for a facility.

Deployable platforms should meet physical security certification and accreditation requirements as per any other system. Physical security certification authorities dealing with deployable platforms can have specific requirements that supersede the security controls in this document and, as such, personnel should contact their appropriate physical security certification authority to seek guidance.

In the case of deployable platforms, physical security requirements may also include perimeter controls, building standards and manning levels.

Server rooms, communications rooms and security containers

The second layer in the protection of systems is the use of a higher Security Zone or secure room for a server room or communications room while the final layer is the use of lockable commercial cabinets or security containers. All layers are designed to limit access to people without the appropriate authorisation to access systems at a facility.

Network infrastructure

While physical security can provide a degree of protection to information communicated over network infrastructure, organisations can have reduced control over information when it is communicated over network infrastructure in areas not authorised for the processing of such information. For this reason, it is important that information communicated over network infrastructure outside of areas in which it is authorised to be processed is appropriately encrypted.

Controlling physical access to network devices

Adequate physical protection should be provided to network devices, especially those in public areas, to prevent an adversary physically damaging a network device with the intention of interrupting services.

Physical access to network devices can also allow an adversary to reset devices to factory default settings by pressing a physical reset button, connecting a serial interface to a device or connecting directly to a device to bypass any access controls. Resetting a network device to factory default settings may disable security settings on the device including authentication and encryption functions as well as resetting administrator accounts and passwords to known defaults. Even if access to a network device is not gained by resetting it, it is highly likely a denial of service will occur.

Physical access to network devices can be restricted through methods such as physical enclosures that prevent access to console ports and factory reset buttons, mounting devices on ceilings or behind walls, or placing devices in locked rooms or cabinets.

Preventing observation by unauthorised people

The inside of facilities without sufficient perimeter security are often exposed to observation through windows. Ensuring systems and information are not visible through windows will assist in reducing this security risk. This can be achieved by using blinds or curtains on windows.

ICT equipment and media register

Maintaining and regularly auditing a register of authorised ICT equipment and media can assist organisations in both tracking legitimate assets and determining whether unauthorised assets have been introduced into a system or its operating environment.

Securing ICT equipment and media

ICT equipment and media needs to be secured when not in use.

• securing ICT equipment and media in an appropriate security container or secure room
• using ICT equipment without hard drives and sanitising memory at shut down
• encrypting hard drives of ICT equipment and sanitising memory at shut down
• sanitising memory of ICT equipment at shut down and removing and securing any hard drives.

If none of the above approaches are feasible, organisation may wish to minimise the potential impact of not securing ICT equipment when not in use. This can be achieved by preventing sensitive or classified information from being stored on hard drives (e.g. by storing user profiles and documents on network shares), removing temporary user data at logoff, scrubbing virtual memory at shut down, and sanitising memory at shut down. It should be noted though that there is no guarantee that such measures will always work effectively or will not be bypassed due to circumstances such as an unexpected loss of power. Therefore, hard drives in such cases will retain their sensitivity or classification for the purposes of reuse, reclassification, declassification, sanitisation, destruction and disposal.

Radio Frequency devices

Many RF devices, such as mobile devices, can pose a security risk to organisations when they are capable of picking up and recording or transmitting background conversations. In highly classified environments, it is important that organisations understand the security risks associated with the introduction of RF devices and should maintain a register of those that have been authorised for use in such environments.

Bluetooth and wireless keyboards

While there have been a number of revisions to the Bluetooth protocol that have made incremental improvements to its security over time, there have also been trade-offs that have limited these improvements, such as maintaining backward compatibility with earlier versions of the protocol. While newer versions of the Bluetooth protocol have addressed many of its historical weaknesses, it still provides inadequate security for the communication of sensitive or classified information. As such, sensitive or classification information communicated using Bluetooth will need to be limited to within RF screened buildings.

Infrared keyboards

When using infrared keyboards with SECRET systems, drawn curtains that block infrared transmissions are an acceptable method of protection.

When using infrared keyboards with a TOP SECRET system, windows with curtains that can be opened are not acceptable as a method of permanently blocking infrared transmissions.

Wireless RF pointing devices

As many wireless RF pointing devices used Bluetooth, they along with other wireless RF pointing devices can pose an unacceptable emanation security risk, unless used in an RF screened building.

Providing cyber security awareness raising and training

Organisations should ensure that ongoing cyber security awareness raising and training is provided to all personnel in order to assist them in understanding their security responsibilities. The content of cyber security awareness raising and training will depend on the objectives of the organisation; however, personnel with responsibilities beyond that of a standard user will require tailored content to meet their needs.

Using online services

Organisations should ensure personnel know what constitutes suspicious contact and how to report such events. For example, questions regarding work duties or projects being undertaken by their organisation. In addition, socially engineered messages, such as those sent via email, instant messages and direct messaging on social media, are one of the most common techniques used to spread malicious code.

Posting work information to online services

Personnel should be advised to take special care not to post work information to online services unless authorised to do so, especially in collaboration tools or forums and on social media. Even information that appears to be benign in isolation, such as the Global Positioning System information in a picture, could, along with other information, have a considerable security impact. In addition, to ensure that personal opinions of individuals are not interpreted as official policy, personnel should maintain separate work and personal accounts for online services, especially when using social media.

Posting personal information to online services

Personnel should be aware that any personal information they post to online services such as social media could be used to develop a detailed profile of their lifestyle and hobbies in order to attempt to build a trust relationship with them or others. This relationship could then be used to attempt to elicit information from them or to implant malicious code on systems (e.g. by having them open emails or visit websites with malicious content). Furthermore, encouraging personnel to use the privacy settings of online services can minimise who can view their interactions on such services.

Sending and receiving files via online services

When personnel send or receive files via online services, such as instant messaging and social media, they often bypass security controls put in place to detect and quarantine malicious code. Encouraging personnel to send and receive files via authorised services, such as email, will ensure files are appropriately protected and scanned for malicious code.

Security clearances

Where this document refers to security clearances, it applies to Australian security clearances or security clearances from a foreign government which are formally recognised by Australia.

System access requirements

Ensuring that the requirements for access to systems and their resources are documented and agreed upon helps determine if personnel have the appropriate authorisations, security clearances and need-to-know to access a system and its resources. Types of users for which access requirements should be documented include standard users, privileged users, foreign users and contractors.

Security clearances, briefings and user identification

Security clearances and briefings provide assurance that personnel can be trusted with access to information that is processed, stored or communicated by a system. In addition, having uniquely identifiable users ensures accountability for such access. Furthermore, where systems process, store or communicate Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) or Releasable To (REL) information, and foreign nationals have access to such systems, it is important that foreign nationals are identified as such.

Standard access to systems

Personnel seeking access to systems, applications and data repositories should have a genuine business requirement verified by their manager. Once a requirement to access a system is established, personnel should be given only the privileges that they need to undertake their duties.

Standard access to systems by foreign nationals

Due to the extra sensitivities associated with Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) and Releasable To (REL) information, foreign access to such information is strictly controlled.

Privileged access to systems

• the ability to change key system configuration settings
• the ability to change or circumvent security controls
• access to audit and security monitoring information
• access to data, files and accounts used by other users, including backups and media
• access to troubleshoot a system.

Privileged accounts are often targeted by adversaries as they can potentially give full access to systems. As such, ensuring that privileged users do not have the ability to read emails, browse the Web or obtain files via online services, such as instant messaging or social media, minimises opportunities for their privileged accounts to be compromised.

Privileged access to systems by foreign nationals

As privileged accounts often have the ability to bypass security controls on a system, it is strongly encouraged that foreign nationals are not given privileged access to systems, particularly those that process, store or communicate AUSTEO, AGAO or REL information.

Suspension of access to systems

Removing or suspending access to systems, applications and data repositories can prevent it from being accessed when there is no longer a legitimate business requirement for its use, such as when personnel change duties or leave the organisation.

Recording authorisation for personnel to access systems

Retaining records of system account requests will assist in maintaining personnel accountability. This is needed to ensure there is a record of all personnel authorised to access a system, their user identification, who provided the authorisation, when the authorisation was granted and when the access was last reviewed.

Temporary access to systems

Under strict circumstances, temporary access to systems, applications or data repositories may be granted to personnel who lack an appropriate security clearance or briefings. In such circumstances, personnel should have their access controlled in such a way that they only have access to information they require to undertake their duties.

Control of Australian systems

Due to extra sensitivities associated with AUSTEO and AGAO systems, it is essential that control of such systems is maintained by Australian citizens working for the Australian Government and that such systems can only be accessed from facilities under the sole control of the Australian Government.

Applicability

The security controls in this section apply to new cable installations or upgrades. Organisations do not need to retrofit existing cable infrastructure to align with these security controls.

When designing cable management systems, the cable labelling and registration and the cable patching sections of these guidelines also apply.

This section is applicable to all domestic facilities. For deployable platforms or facilities outside of Australia, consult the emanation security section of these guidelines.

Implementation scenarios

This section provides common security controls for non-shared government facilities, shared government facilities and shared non-government facilities. Specific requirements for any of these scenarios will be identified as such.

A non-shared government facility is where the entire facility and personnel are cleared to the highest level of information processed in the facility.

A shared government facility is where the facility and personnel are cleared at different levels.

A shared non-government facility is where the facility is shared by government organisations and non-government organisations.

Cable sheaths and conduits

The cable’s protective sheath is not considered to be a conduit. However, for fibre-optic cables with subunits, the cable’s outer protective sheath is considered to be a conduit.

Cable standards

All cables should be installed by an endorsed cable installer to the relevant Australian Standards to ensure personnel safety and system availability.

Cable colours

The use of defined cable colours provides an easily recognisable cable management system.

Cable colours for foreign systems in Australian facilities

Different cable colours for foreign systems in Australian facilities helps prevent unintended cross-patching of Australian and foreign systems.

Cable colour non-conformance

In certain circumstances it may not be possible to use the correct cable colours. Under these circumstances organisations are to band cables with the appropriate colour. The banding of cables is to comply with the inspection points for the cables. The size of the cable bands should be easily visible from the inspection point. For large bundles on cable reticulation systems, band and label the entire bundle. It is important bands are robust and stand the test of time. Examples of appropriate cable bands include stick-on coloured labels, colour heat shrink, coloured ferrules or short lengths of banded conduit.

Inspecting cables

Regular inspection of cable installations is necessary to detect illicit tampering or degradation.

Cable groupings

Grouping cables provides a method of sharing conduits and cable reticulation systems.

Use of fibre-optic cables

Fibre-optic cables do not produce, and are not influenced by, electromagnetic emanations. Therefore, they offer the highest degree of protection from electromagnetic emanation effects. Fibre-optic cables are also more difficult to tap than copper cables and many more fibres can be run per cable diameter than wired cables reducing cable infrastructure costs.

Fibre-optic cables sharing a common conduit

Fibre-optic cables of various cable groups can share a common conduit to reduce costs.

Previous / Next

Security Control: 0189; Revision: 2; Applicability: O, P, S, TS; Priority: Must

With fibre-optic cables, the fibres in the sheath only carry a single group.

Previous / Next

Security Control: 0190; Revision: 2; Applicability: O, P, S, TS; Priority: Must

If a fibre-optic cable contains subunits, each subunit only carries a single group; however, each subunit in the cable can carry a different group.

Cables sharing a common reticulation system

Laying cables in a neat and controlled manner that allows for inspection reduces the need for individual cable trays.

Enclosed cable reticulation systems

In shared non-government facilities, cables are enclosed in a sealed reticulation system to prevent access and enhance cable management.

Covers for enclosed cable reticulation systems

In shared non-government facilities, clear covers on enclosed reticulation systems are a convenient method of maintaining inspection and control requirements. Having clear covers face inwards increases their inspectability.

Sealing cable reticulation systems and conduits

In shared non-government facilities, Security Construction and Equipment Committee (SCEC) endorsed seals are used to provide evidence of any tampering or illicit access to cable reticulation systems while conduits are sealed with a visible smear of conduit glue to prevent access.

Connecting cable reticulation systems to cabinets

Strictly controlling the routing from cable management systems to cabinets prevents unauthorised modifications and tampering and provides easy inspection of cables.

Terminating cables in cabinets

Having individual or divided cabinets prevents accidental or deliberate cross-patching and makes visual inspection of cables and patching easier.

Cabinet separation

Having a definite gap between cabinets allows for ease of inspection for any illicit cables or cross-patching.

Cables in walls

Cables run correctly in walls allow for neater installations while maintaining separation and inspection requirements.

Cables in party walls

In shared non-government facilities, cables are not allowed in a party wall. A party wall is a wall shared with an unsecured space where there is no control over access. An inner wall can be used to run cables where the space is sufficient for inspection of the cables.

Wall penetrations

In shared government facilities and shared non-government facilities, penetrating a wall into a lower classified space requires the integrity of the classified spaces to be maintained. As such, all cables are encased in conduit with no gaps in the wall around the conduit.

Wall outlet terminations

Wall outlet boxes are the main method of connecting cable infrastructure to workstations. They allow the management of cables and the type of connectors allocated to various systems.

Wall outlet colours

The colouring of wall outlets makes it easy to identify TOP SECRET infrastructure.

Wall outlet covers

Transparent covers on wall outlets allow for inspection of cable cross-patching and tampering.

Audio secure spaces

Audio secure spaces are designed to prevent audio conversations from being overheard. The Australian Security Intelligence Organisation (ASIO) should be consulted before any modifications are made to audio secure spaces.

Power reticulation

In both shared government facilities and shared non-government facilities with TOP SECRET systems, it is important that TOP SECRET systems have control over the power system to prevent denial of service by deliberate or accidental means.

Applicability

This section is applicable to all domestic facilities. For deployable platforms or facilities outside of Australia, consult the emanation security section of these guidelines.

Conduit label specifications

Conduit labels should be a specific size and colour to allow for easy identification of secure conduits carrying cables.

Installing conduit labelling

Conduit labelling in public or visitor areas could draw undue attention and disclose capabilities.

Labelling wall outlet boxes

Clear labelling of wall outlet boxes diminishes the possibility of incorrectly attaching ICT equipment of a lower classification to the wrong outlet.

Labelling cables

Labelling cables with the correct source and destination information minimises the likelihood of cross-patching and aids in fault finding and configuration management.

Cabling labelling process and procedures

A well documented and followed cable labelling process, and supporting cable labelling procedures, makes cable fault finding easier.

Cable register

Cable registers allow installers and inspectors to trace cables for cable inspections and malicious or accidental damage. Cable registers track all cable management changes throughout the life of the system.

Cable inspections

Cable inspections, at predefined periods, are a method of checking the cable management system with the cable register.

Applicability

The security controls in this section apply to new cable installations or upgrades. Organisations do not need to retrofit existing cable infrastructure to align with these security controls.

This section is applicable to all domestic facilities. For deployable platforms or facilities outside of Australia, consult the emanation security section of these guidelines.

Terminations to patch panels

Connecting a system to another system of a lower classification will result in a data spill, possibly resulting in inadvertent or deliberate access by non-cleared personnel, or the lower system not meeting the appropriate requirements to secure the information from unauthorised access or tampering.

Patch cable and fly lead connectors

Ensuring that cables are equipped with connectors of a different configuration to all other cables prevents inadvertent connection of different systems.

Physical separation of patch panels

Appropriate physical separation between a TOP SECRET system and a system of a lower classification reduces or eliminates the chances of cross-patching between systems and reduces or eliminates the possibility of unauthorised personnel gaining access to TOP SECRET systems.

Fly lead installation

Keeping the lengths of fibre-optic fly leads to a minimum prevents clutter around desks, prevents damage and reduces the chance of cross-patching and tampering. If lengths become excessive, fly leads should be treated as infrastructure and run in conduit or fixed infrastructure such as desk partitioning.

Applicability

• organisations located outside of Australia
• facilities in Australia that have transmitters
• facilities that are shared with non-Australian government entities
• mobile platforms and deployable assets that process information.

Emanation security threat assessments in Australia

Obtaining current threat advice from the Australian Cyber Security Centre (ACSC) on potential adversaries, and applying the appropriate counter-measures, is vital to protecting systems from emanation security threats.

Emanation security threat assessments outside Australia

Fixed sites outside Australia, and deployed military platforms, are more vulnerable to emanation security threats. Failing to implement recommended counter-measures and SOPs to reduce threats could result in the platform emanating compromising signals, which if intercepted and analysed, could lead to platform compromise with serious consequences.

Early identification of emanation security issues

It is important to identify the need for emanation security controls for a system early in the project life cycle as this can reduce costs for the project. Costs are much greater if changes have to be made once the system has been designed and deployed.

Industry and government standards

While ICT equipment in a TOP SECRET area in Australia may not need certification to TEMPEST standards, the ICT equipment still needs to meet applicable industry and government standards.

Telephone systems usage policy

All non-secure telephone systems are subject to interception. Accidentally or maliciously revealing sensitive or classified information over a public telephone network can lead to the compromise of such information.

Personnel awareness

As there is a potential for unintended disclosure of information when using telephone systems, it is important that personnel are made aware of what they can discuss on particular telephone systems, as well as security risks associated with the use of non-secure telephone systems in sensitive or classified areas.

Visual indication

When single telephone systems are approved to hold conversations at different levels, alerting the user to the sensitivity or classification of information that can be discussed will assist in reducing the likelihood of unintended disclosure of information.

Protecting conversations

When sensitive or classified conversations are to be held using telephone systems, the conversation needs to be appropriately protected through the use of encryption.

Cordless telephone systems

Cordless telephone systems have minimal transmission security and are susceptible to interception. Using cordless telephone systems can result in disclosure of information to an unauthorised party through interception.

Speakerphones

As speakerphones are designed to pick up and transmit conversations in the vicinity of the device, using speakerphones in TOP SECRET areas presents a number of security risks. However, if an organisation is able to reduce security risks through the use of an audio secure room that is secured during conversations, then they may be used.

Off-hook audio protection

Providing off-hook security minimises the chance of background conversations being accidentally coupled into handsets and speakerphones. Limiting the time an active microphone is open minimises this security risk.

Video and voice-aware firewall requirement

Where a video conferencing or IP telephony network is connected to another video conferencing or IP telephony network belonging to a different security domain the gateways section of the Guidelines for Gateway Management applies.

Where an analog telephone network, such as the Public Switched Telephone Network (PSTN), is connected to a data network the gateways section of the Guidelines for Gateway Management does not apply.

Hardening video conferencing and Internet Protocol telephony infrastructure

Video conferencing and IP telephony traffic in a data network consists of IP packets and should be treated the same as any other data. As such, hardening can be applied to video conferencing units, handsets, software, servers, firewalls and gateways.

• has a fully patched operating system
• has fully patched software
• runs only required services
• uses encrypted non-replayable authentication
• applies network restrictions that only allow secure SIP traffic and secure Real-time Transport Protocol (RTP) traffic from video conferencing units and IP phones on a Virtual Local Area Network (VLAN) to reach the server.

Video and voice-aware firewalls

The use of video and voice-aware firewalls ensures that only video and voice traffic (e.g. signalling and data traffic) is allowed for a given call and that the session state is maintained throughout the transaction.

The requirement to use a video or voice-aware firewall does not necessarily require separate firewalls to be deployed for video conferencing, IP telephony and data traffic. If possible, organisations are encouraged to implement one firewall that is video and data-aware; voice and data-aware; or video, voice and data-aware depending on their needs.

Protecting video conferencing and Internet Protocol telephony traffic

Video conferencing and IP telephony traffic is vulnerable to eavesdropping but can be protected with encryption. When encrypting video conferencing and IP telephony traffic, voice control signalling can be protected using Transport Layer Security and the ‘sips://’ identifier to force the encryption of all legs of the connection. Similar protections are available for RTP and the Real-time Control Protocol.

Establishment of secure signalling and data protocols

Use of secure signalling and data protocols protect against eavesdropping, some types of denial of service, person-in-the-middle attacks and call spoofing attacks.

Video conferencing unit and Internet Protocol phone authentication

Blocking unauthorised or unauthenticated devices by default will reduce the likelihood of unauthorised access to a video conferencing or IP telephony network.

Traffic separation

Video conferencing and IP telephony networks should be logically or physically separated from data networks to ensure availability and sufficient quality of service.

Lobby and shared area phones

Lobby IP phones in public areas may give an adversary the opportunity to access the internal data network) by replacing the IP phone with another device or installing a device in line. Alternatively, the IP phone could be used for social engineering purposes (since the call may appear to be internal) or to access poorly protected voicemail boxes.

Microphones and webcams

Microphones (including headsets and Universal Serial Bus handsets) and webcams can pose a security risk in classified areas. An adversary can email or host a malicious application on a compromised website and use social engineering techniques to convince users into installing the application on their workstation. Such malicious applications may then activate microphones or webcams that are attached to the workstation to act as remote listening and recording devices.

Developing a denial of service response plan

Telephony is considered a critical service for any organisation. A denial of service response plan will assist in responding to a video conferencing and IP telephony denial of service, signalling floods, and established call teardown and RTP data floods.

• router and switch logging and flow data
• packet captures
• proxy and call manager logs and access control lists
• video and voice-aware firewalls and gateways
• network redundancy
• load balancing
• PSTN failover.

Using cryptographic equipment with fax machines and multifunction devices

Specific information regarding the process and procedures for sending classified fax messages using High Assurance Cryptographic Equipment can be requested from the Australian Cyber Security Centre.

Fax machine and multifunction device usage policy

As fax machines and multifunction devices (MFDs) are a potential source of cyber security incidents, it is important that organisations develop a policy governing their use.

Sending fax messages

Once a fax machine or MFD has been connected to cryptographic equipment and used to send a fax message, it can no longer be trusted when connected directly to unsecured telecommunications infrastructure or the PSTN. For example, if a fax machine fails to send a classified fax message the device will continue attempting to send the fax message even if it has been disconnected from cryptographic equipment and connected directly to the PSTN. In such cases, the fax machine could send the classified fax message in the clear causing a data spill.

Receiving fax messages

While the communications path between fax machines and MFDs may be appropriately protected, personnel should still be aware of who has a need to know of the information being communicated. It is therefore important that fax messages are collected from the receiving fax machine or MFD as soon as possible. Furthermore, if an expected fax message is not received it may indicate that there was a problem with the original transmission or the fax message has been taken by an unauthorised person.

Connecting multifunction devices to telephone systems

When an MFD is connected to a computer network and a digital telephone system, the device can act as a bridge between the two. The telephone system therefore needs to be authorised to operate at the same sensitivity or classification as the computer network.

Connecting multifunction devices to computer networks

As networked MFDs are considered to be devices that reside on a computer network, they should have the same security controls as other devices on the computer network.

Copying documents on multifunction devices

As networked MFDs are capable of sending scanned or copied documents across a connected network, personnel should be aware that if they scan or copy documents at a level higher than that of the network the device is connected to, it will cause a data spill.

Observing fax machine and multifunction device use

Placing fax machines and MFDs in public areas can help reduce the likelihood of any suspicious use going unnoticed.

Types of mobile devices

These guidelines describe the use of mobile devices including mobile phones, smartphones, tablets, laptops, portable electronic devices and other portable internet-connected devices.

Device-specific guidance

To complement the security controls in this document, the Australian Cyber Security Centre (ACSC) publishes device-specific guidance. Where device-specific guidance exists, it should be consulted in conjunction with the security controls in this document.

Mobile device management policy

Since mobile devices routinely leave the office environment, and the protection it affords, it is important that a mobile device management policy is developed to ensure that they are protected in an appropriate manner.

Privately-owned mobile devices

If organisations choose to allow personnel to use their personal mobile devices to access their organisation’s systems and information, they should ensure that the devices do not present an unacceptable security risk. Information on security risks, and recommended security controls, for allowing the use of privately-owned mobile devices are discussed in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication and other hardening guidance available from the ACSC.

Seeking legal advice for privately-owned mobile devices

Allowing privately-owned mobile devices to access an organisation’s systems and information can increase liability risk. Organisations should seek legal advice to ascertain whether this scenario affects compliance with relevant legislation (e.g. compliance with government data retention laws in the Archives Act 1983), and also consider whether the increased liability risks are acceptable to the organisation. Risks will be dependent on each organisation’s mobile device usage policy and its implementation.

Organisation-owned mobile devices

If organisations choose to issue personnel with mobile devices to access their organisation’s systems and information, they should ensure that the devices do not present an unacceptable security risk. Information on security risks, and recommended security controls, for allowing the use of organisation-owned mobile devices are discussed in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication and other hardening guidance available from the ACSC.

Mobile device storage encryption

Encrypting the internal storage and removable media of mobile devices will lessen security risks associated with a lost or stolen device as it will present a significant challenge to an adversary looking to gain easy access to information stored on the device.

Mobile device communications encryption

If appropriate encryption is not available, mobile devices communicating sensitive or classified information present a security risk to such information. Encrypting communications, regardless of the protocol used (e.g. Bluetooth, infrared, Wi-Fi, 3G/4G/5G or other wireless protocols) is the only way to have any assurances that the information is protected.

Mobile device Bluetooth functionality

Bluetooth provides inadequate security for information that is passed between mobile devices and other Bluetooth devices. As such, Bluetooth is not suitable for use with highly classified mobile devices. Furthermore, as Bluetooth has a number of known weaknesses which can potentially be exploited, the range of Bluetooth communications for all other mobile devices should be limited.

Mobile device Bluetooth pairing

To mitigate security risks associated with pairing mobile devices with other Bluetooth devices, Bluetooth version 2.1 introduced secure simple pairing and extended inquiry response. Secure simple pairing improved the pairing experience for Bluetooth devices and introduced a form of public key cryptography while extended inquiry response provided more information during the inquiry procedure to allow for better filtering of Bluetooth devices.

In addition to using Bluetooth devices that support at least Bluetooth version 2.1, personnel should consider the location and manner in which they pair Bluetooth devices. For example, by avoiding pairing devices in public locations.

Configuration control

Poorly controlled mobile devices are more vulnerable to compromise and provide an adversary with a potential access point into systems. Although organisations may initially provide secure mobile devices, the state of security may degrade over time. The security of mobile devices should be audited regularly to ensure their integrity.

Maintaining mobile device security

It is important that mobile devices are regularly tested to ensure that they meet organisation-defined security configurations and that patches are being applied.

Connecting mobile devices to the Internet

During the time mobile devices are connected to the Internet for web browsing they are directly exposed to targeted cyber intrusions originating from the Internet. Should web browsing be required, best practice involves establishing a Virtual Private Network (VPN) connection and browsing the Web though an organisation’s internet gateway.

A split tunnel VPN can allow access to systems from another network, including unsecured networks such as the Internet. If split tunnelling is not disabled there is an increased security risk that the VPN connection is susceptible to targeted cyber intrusions from such networks. Disabling split tunnelling may not be achievable on all mobile devices. Organisations can refer to the relevant ACSC hardening guidance for mobile devices on how to manage security risks associated with split tunnelling.

Mobile device usage policy

Since mobile devices routinely leave the office environment, and the protection it affords, it is important that organisations develop a mobile device usage policy governing their use.

Personnel awareness

Mobile devices can have both a voice and data component capable of processing or communicating information. In such cases, personnel should know the sensitivity or classification of information that mobile devices have been approved to process, store and communicate.

Paging and message services

As paging and message services do not appropriately encrypt information they cannot be relied upon for the communication of sensitive or classified information.

Using mobile devices in public spaces

Personnel should be aware of the environment they use mobile devices in to view or communicate sensitive or classified information, especially in public areas such as public transport, transit lounges and coffee shops. In such locations personnel taking care to ensure information is not observed or conversations are overheard will assist in maintaining the confidentiality of their organisation’s information. In some cases, privacy filters can be applied to the screen of a mobile device to prevent onlookers from reading content off its screen.

Maintaining control of mobile devices

As mobile devices are portable in nature, and can be easily lost or stolen, it is strongly advised that personnel do not leave mobile devices unattended when being actively used.

Carrying mobile devices

As mobile devices used outside the office will be carried through areas not authorised to process the information stored on them, carrying them in a secured state (i.e. encryption is active when they are not in use) will decrease the likelihood of accidental or deliberate compromise of information. Depending on the type of mobile device, the effectiveness of encrypting its internal storage might be reduced if the device is lost or stolen while it is in sleep mode or powered on with a locked screen.

Mobile device emergency sanitisation process and procedures

The sanitisation of mobile devices in emergency situations can assist in reducing the potential for compromise of information by an adversary. This may be achieved through the use of a remote wipe capability or a cryptographic key zeroise or sanitisation function if present.

Before travelling overseas with mobile devices

Personnel travelling overseas with mobile devices face additional security risks. Taking steps to mitigate these security risks will assist in protecting their organisation’s information. When personnel leave Australian borders they also leave behind any expectations of privacy.

• patch applications and operating systems
• implement multi-factor authentication
• backup all data
• remove all non-essential data
• disable applications that are not essential for the period of travel
• disable Bluetooth and wireless connectivity
• configure wireless to connect only to known secure networks.

While travelling overseas with mobile devices

Personnel lose control of information stored on mobile devices any time devices are not on their person. This includes storing mobile devices in checked-in luggage or in hotel rooms (including hotel room safes). Such situations provide an opportunity for mobile devices to be stolen or tampered with.

After travelling overseas with mobile devices

Inspecting mobile devices after overseas travel allows organisations to check for evidence that devices may have been compromised, and if so, take appropriate actions such as resetting devices and all passphrases for accounts associated with the devices.

Evaluated products

An evaluated product provides a level of assurance in its security functionality that an unevaluated product does not.

• ASD Cryptographic Evaluation (ACE) program, for software and ICT equipment that contains cryptographic functionality.
• High Assurance evaluation program, for ICT equipment protecting highly classified information.

The Australian Cyber Security Centre (ACSC) also certifies product evaluations conducted by licensed commercial facilities, in accordance with the Common Criteria, as part of the Australasian Information Security Evaluation Program (AISEP).

For organisations seeking to procure evaluated products, the Evaluated Products List contains a list of products that have been evaluated through the ACE program or the High Assurance evaluation program while the Certified Products List contains a list of products that have been certified in accordance with the Common Criteria.

Protection profiles

A Protection Profile (PP) is a technology-specific document that defines the security functions that must be included in a Common Criteria certified product to mitigate specific cyber threats. PPs can be published by a recognised Common Criteria Recognition Arrangement (CCRA) scheme or by the CCRA body itself. PPs published by the CCRA body are referred to as collaborative PPs.

The ACSC recognises all PPs listed on the Common Criteria website in addition to those listed on the ACSC’s website. Where a PP does not exist, an evaluation based on an Evaluation Assurance Level (EAL) may be accepted. Such evaluations are capped at EAL2+ as this represents the best balance between completion time and meaningful security assurance gains.

Evaluation documentation

Organisations choosing to use Common Criteria certified products can determine their suitability by reviewing their evaluation documentation. This includes the Security Target and Certification Report.

Products that are undergoing a Common Criteria evaluation will not have published evaluation documentation. However, documentation can be obtained from the ACSC if a product is being evaluated through the AISEP. For a product that is in evaluation through a foreign scheme, the product’s vendor can be contacted directly for further information.

Evaluated product selection

A Common Criteria evaluation is traditionally conducted at a specified EAL; however, evaluations against a PP exist outside of this scale. Notably, while products evaluated against a PP will fulfil the Common Criteria EAL requirements, the EAL number will not be published.

Delivery of evaluated products

It is important that organisations ensure that products they purchase are the actual products that are delivered. In the case of evaluated products, if the product delivered differs from an evaluated version then the assurance gained from the evaluation may not necessarily apply.

Packaging and delivery practices can vary greatly from product to product. For most evaluated products, standard commercial packaging and delivery practices are likely to be sufficient. However, in some cases more secure packaging and delivery practices, including tamper-evident seals and secure transportation, may be required. In the case of the digital delivery of evaluated products, vendor-supplied checksums can often be used to ensure the integrity of software that was delivered.

Evaluated configuration

• functionality that it uses was in the scope of the evaluation and it is implemented in the specified manner
• only product updates that have been assessed through a formal assurance continuity process have been applied
• the environment complies with assumptions or organisational security policies stated in the evaluation documentation.

Unevaluated configuration

An evaluated product is considered to be operating in an unevaluated configuration when it does not meet the requirements of the evaluated configuration and guidance provided in its Certification Report.

Patching evaluated products

In the majority of cases, the latest patched version of an evaluated product will be more secure than an older unpatched version. While the application of patches will not normally place an evaluated product into an unevaluated configuration, some vendors may include new functionality, which has not been evaluated, with their patches. In such cases, organisations should use their judgement to determine whether this deviation from the evaluated configuration constitutes additional security risk or not.

Installation and configuration of evaluated products

Product evaluation provides assurance that a product’s security functionality will work as expected when operating in a clearly defined configuration. The scope of the evaluation specifies the security functionality that can be used and how a product is to be configured and operated. Using an evaluated product in an unevaluated configuration could result in the introduction of security vulnerabilities that were not considered as part of the product’s evaluation.

For Common Criteria certified products, information is available from vendors regarding its installation, configuration, administration and operation. Additional information is also available in its evaluation documentation. For high assurance ICT equipment, installation and configuration guidance can be obtained from the ACSC.

Use of high assurance ICT equipment in unevaluated configurations

Given the value of the information being protected by high assurance ICT equipment, it should always be operated in an evaluated configuration.

ICT equipment management policy

Since ICT equipment is capable of processing, storing or communicating sensitive or classified information, it is important that an ICT equipment management policy is developed and implemented to ensure that ICT equipment, and the information it processes, stores or communicates, is protected in an appropriate manner.

Classifying ICT equipment

The purpose of classifying ICT equipment it to acknowledge the sensitivity or classification of information that it is approved for processing, storing or communicating.

Classifying ICT equipment also assists in ensuring that the appropriate sanitisation, destruction and disposal processes are followed at the end of its life.

Labelling ICT equipment

Applying protective markings to ICT equipment assists to reduce the likelihood that a user will accidentally input information into it that it is not approved for processing, storing or communicating.

While text-based protective markings are typically used for labelling ICT equipment, there may be circumstances where colour-based protective markings or other marking schemes need to be used instead. In such cases, the marking scheme will need to be documented and personnel will need to be trained in its use.

Labelling high assurance ICT equipment

High assurance ICT equipment often has tamper-evident seals placed on its external surfaces. To assist users in noticing changes to these seals, and to prevent functionality being degraded, organisations should limit the use of labels on high assurance ICT equipment.

Maintenance and repairs by cleared technicians

Making unauthorised repairs to ICT equipment could impact its integrity. Using cleared technicians to maintain and repair ICT equipment on-site is considered the most secure approach. This ensures that if information is disclosed during the course of maintenance or repairs, the technicians are aware of the requirements to protect such information.

Maintenance and repairs by uncleared technicians

Organisations choosing to use uncleared technicians to maintain or repair ICT equipment should be aware of the requirement for cleared personnel to escort uncleared technicians during maintenance or repair activities.

Off-site maintenance and repairs

Organisations choosing to have ICT equipment maintained or repaired off-site should be aware of requirements for the external company’s facilities to be approved to do so based on the sensitivity or classification of the ICT equipment.

Organisations choosing to have ICT equipment maintained or repaired off-site can sanitise the ICT equipment prior to transport, and subsequent maintenance or repair activities, to lower (depending on the types of media involved) its physical transfer and storage requirements.

Maintenance and repair of ICT equipment from secured spaces

When ICT equipment resides in an area that also contains ICT equipment of a higher classification, a technician could modify the lower classified ICT equipment in an attempt to compromise co-located ICT equipment of a higher classification.

ICT equipment sanitisation and disposal processes and procedures

When disposing of ICT equipment, any media in the ICT equipment should be sanitised in situ or removed and sanitised separately. Once any media has been sanitised or removed, ICT equipment can be considered sanitised. As such, the ICT equipment can then be declassified and formally authorised for release into the public domain. However, if media cannot be sanitised or removed, the ICT equipment will need to be destroyed in its entirety.

In addition, removing labels and markings indicating the classification, codewords, caveats, owner, system or network details as part of the disposal process will ensure ICT equipment does not display indications of its prior use and draw undue attention.

• electrostatic memory devices, such as laser printer cartridges used in multifunction devices (MFDs)
• non-volatile magnetic memory, such as hard disks
• non-volatile semiconductor memory, such as flash cards and solid state drives
• volatile memory, such as random-access memory sticks.

Sanitisation and disposal of highly sensitive ICT equipment

The ACSC provides specific advice on how to securely dispose of high assurance ICT equipment and TEMPEST-rated ICT equipment. In addition, ICT equipment located overseas that has processed or stored Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) material can have more severe consequences for Australian interests if not sanitised and disposed of appropriately.

Sanitisation and disposal of printers and multifunction devices

When sanitising and disposing of printers and MFDs, the printer cartridge or MFD print drum should be sanitised in addition to the sanitisation or removal of any media. This can be achieved by printing random text with no blank areas on each colour printer cartridge or MFD print drum. In addition, transfer rollers and platens can become imprinted with text and images over time and should be destroyed if any images have been retained. Finally, any paper jammed in the paper path should be removed.

When printer cartridges and MFD print drums cannot be sanitised due to a hardware failure, or when they are empty, there is no other option available but to destroy them. Printer ribbons cannot be sanitised and should be destroyed.

Sanitising televisions and computer monitors

All types of televisions and computer monitors are capable of retaining information if mitigation measures are not taken during their lifetime. Cathode Ray Tube monitors and plasma screens can be affected by burn-in while Liquid Crystal Display screens can be affected by image persistence.

Televisions and computer monitors can be visually inspected by turning up the brightness and contrast to their maximum level to determine if any information has been burnt into or persists on the screen. If burn-in or image persistence is removed by this activity, televisions and computer monitors can be considered sanitised allowing them to be declassified and formally authorised for release into the public domain. However, if burn-in or persistence is not removed through these measures, televisions and computer monitors cannot be sanitised and should be destroyed.

If the television or computer monitor cannot be powered on (e.g. due to a faulty power supply) the unit cannot be sanitised and should be destroyed.

Sanitising network devices

Routers, switches, network interface cards and firewalls contain memory that is used in their operation. This memory can often retain network configuration information such as passwords, encryption keys and certificates. The correct method to sanitise a network device will depend on the configuration of the device and the type of memory within the device. Device-specific guidance provided by the ACSC, or vendor sanitisation guidance, should be consulted to determine the most appropriate method to remove information from a network device’s memory.

Sanitising fax machines

Fax machines store information such as phone number directories and pages ready for transmission. In addition to the sanitisation or removal of any media within fax machines, the memory should be cleared and any paper jammed in the paper path should be removed.

Media management policy

Since media is capable of storing sensitive or classified information, it is important that a media management policy is developed and implemented to ensure that all types of media, and the information it stores, is protected in an appropriate manner. In many cases, an organisation’s media management policy will be closely tied to their removable media usage policy.

Removable media useage policy

Establishing a removable media usage policy can decrease the likelihood and consequence of accidental data spills and information loss or theft.

• permitted uses of removable media
• permitted types of removable media
• requirements for removable media registration
• requirements for removable media labelling
• requirements for the protection of removable media
• requirements for the reporting of lost or stolen removable media
• requirements for the sanitisation or destruction of removable media at the end of its life.

Classifying media storing information

Media that is not correctly classified could be handled and stored inappropriately or accessed by personnel who do not have appropriate security clearances.

Classifying media connected to systems

There is no guarantee that information will not be copied to media while connected to a system unless read-only devices or read-only media are used.

Reclassifying media

Media should always be protected according to the sensitivity or classification of the information it stores; however, if the sensitivity or classification of the information changes, so should the protection afforded to the media.

Labelling media

Labelling media helps personnel to identify its sensitivity or classification and ensure that appropriate security controls are applied to its handling and usage.

While text-based protective markings are typically used for labelling media, there may be circumstances where colourbased protective markings or other marking schemes need to be used instead. In such cases, the marking scheme will need to be documented and personnel will need to be trained in its use.

Connecting media to systems

Some operating systems provide functionality to automatically execute programs that reside on media. While this functionality was designed with a legitimate purpose in mind (e.g. such as automatically loading a graphical user interface for a user to browse the contents of media or to install software residing on the media) it can also be used for malicious purposes. For example, an adversary can create a file on media that the operating system believes it should automatically execute. When the operating system executes the file, it can have the same effect as when a user explicitly executes malicious code; however, in this case the user is taken out of the equation as the operating system executes the file without explicitly asking for permission.

Device access control software allows greater control over media that can be connected to systems and how it can be used. This assists in preventing unauthorised media being connected to systems and, if desired, preventing information from being written to it. Media can also be prevented from connecting to systems by disabling connection ports in software or by physical means such as using wafer seals or applying epoxy. If physical means are used to prevent media connecting to systems, processes and procedures covering detection and reporting are needed in order to respond to attempts to bypass these security controls.

External interface connections that allow Direct Memory Access

It has been demonstrated that an adversary can connect media to a locked system via an external interface connection that allows Direct Memory Access (DMA) and subsequently gain access to encryption keys in memory. Furthermore, an adversary can read or write any content to memory that they desire. The best defence against this security vulnerability is to disable access to external interface connections that allow DMA using software controls or physical measures. External interface connections that allow DMA include FireWire, ExpressCard and Thunderbolt.

Handling media

As media can be easily misplaced or stolen, mechanisms should be put in place to protect information stored on it. Furthermore, applying encryption to media may reduce the requirements for storage and physical transfer. Any reduction in requirements needs to be based on the original sensitivity or classification of information residing on the media and the level of assurance in the encryption software being used to encrypt the media.

Using media for data transfers

Organisations transferring data between systems belonging to different security domains are strongly encouraged to use write-once media. This will ensure that information from one of the systems cannot be accidently transferred onto the media then onto another system when the media is reused for the next transfer.

Media in ICT equipment

ICT equipment will often contain devices that are quite small and may not be immediately recognisable as memory. Examples of these include M.2 or Mini-Serial Advanced Technology Attachment (mSATA) devices. When sanitising M.2 or mSATA devices, the methods for flash memory devices apply. Generally, if a device offers persistent storage of information, it is likely that the methods for flash memory will apply.

Hybrid hard drives

When sanitising hybrid hard drives, the methods for flash memory devices apply.

Solid state drives

When sanitising solid state drives (SSDs), the methods for flash memory devices apply.

Media that cannot be sanitised

When attempts to sanitise media are unsuccessful, the only way to provide assurance that all information has been erased is to destroy the media. Additionally, some types of media cannot be sanitised and therefore should be destroyed.

Media sanitisation process and procedures

Sanitising media prior to reuse in a different environment ensures that information is not inadvertently accessed by unauthorised personnel or otherwise insufficiently protected.

Using approved methods provides a level of assurance that no information will be left on media. The methods described in this document are designed not only to prevent common information recovery practices but also to protect from those that could emerge in the future.

When sanitising media, it is necessary to read back the contents of the media to verify that the overwrite process was completed successfully.

Volatile media sanitisation

When sanitising volatile media, the specified time to wait following removal of power is based on applying a safety factor to the time recommended in research into preventing the recovery of the contents of volatile media.

If read back cannot be achieved following the overwriting of media contents, or information persists on the media, destroying the media is the only way to provide complete assurance information no longer persists.

Treatment of volatile media following sanitisation

Published literature suggests that short-term remanence effects are likely in volatile media. Data retention times have been reported to be measured in minutes at normal room temperatures and up to hours in extreme cold. Furthermore, some volatile media can suffer from long-term remanence effects resulting from physical changes to the media due to continuous storage of static data for an extended period of time. It is for these reasons that under certain circumstances TOP SECRET volatile media retains its classification following sanitisation.

Typical circumstances preventing the reclassification of TOP SECRET volatile media include a static cryptographic key being stored in the same memory location during every boot of a device and a static image being displayed on a device and stored in volatile media for a period of months.

Non-volatile magnetic media sanitisation

Both the host-protected area and device configuration overlay table of non-volatile magnetic media are normally not visible to an operating system or a computer’s basic input/output system. Therefore, any sanitisation of the readable sectors of media will not overwrite these hidden sectors leaving any data contained in these locations untouched. Some sanitisation programs include the ability to reset media to their default state removing any host-protected areas or device configuration overlays. This allows the sanitisation program to see the entire contents of media during the subsequent sanitisation process.

Modern non-volatile magnetic media automatically reallocates space for bad sectors at a hardware level. These bad sectors are maintained in what is known as the growth defects table or ‘g-list’. If data was stored in a sector that was subsequently added to the g-list, sanitising the media will not overwrite these non-addressable bad sectors. While these sectors may be considered bad by the media, quite often this is due to the sectors no longer meeting expected performance norms and not due to an inability to read/write to them. The Advanced Technology Attachment (ATA) secure erase command was built into the firmware of post-2001 media and is able to access sectors that have been added to the g-list.

Modern non-volatile magnetic media also contain a primary defects table or ‘p-list’. The p-list contains a list of bad sectors found during post-production processes. No data is ever stored in sectors on the p-list as they are inaccessible before the media is used for the first time.

Treatment of non-volatile magnetic media following sanitisation

Due to concerns with the sanitisation of the host-protected area, device configuration overlay table and growth defects table, highly classified non-volatile magnetic media retains its classification following sanitisation.

Non-volatile erasable programmable read-only memory media sanitisation

When sanitising non-volatile erasable programmable read-only memory (EPROM), the manufacturer’s specification for ultraviolet erasure time should be multiplied by a factor of three to provide an additional level of certainty in the process.

Non-volatile electrically erasable programmable read-only memory media sanitisation

A single overwrite with a random pattern is considered best practice for sanitising non-volatile electrically erasable programmable read-only memory (EEPROM) media.

Treatment of non-volatile erasable and electrically erasable programmable read-only memory media following sanitisation

As little research has been conducted into the ability to recover information from non-volatile EPROM and EEPROM media following sanitisation, highly classified EPROM and EEPROM media retains its classification following sanitisation.

Non-volatile flash memory media sanitisation

In flash memory media, a technique known as wear levelling ensures that writes are distributed evenly across each memory block. This feature necessitates flash memory being overwritten with a random pattern twice as this helps ensure that all memory blocks are overwritten.

Treatment of non-volatile flash memory media following sanitisation

Due to the use of wear levelling in flash memory, it is possible that not all memory locations were written to when attempting to overwrite the media. For this reason, highly classified flash memory media retains its classification following sanitisation.

Sanitising media prior to reuse

Sanitising media prior to reuse assists with enforcing the need-to-know principle.

Encrypted media

When applied appropriately, the use of encryption can provide additional assurance during media sanitisation, reuse and disposal. However, unless otherwise stated in Consumer Guides for evaluated encryption software, the use of encryption does not reduce the post-sanitisation classification of media.

Media destruction process and procedures

Documenting a process and supporting procedures for media destruction will ensure that organisations carry out media destruction in an appropriate and consistent manner.

Media that cannot be sanitised

It is not possible to sanitise some types of media while maintaining a level of assurance that no information can be recovered.

Media destruction equipment

When physically destroying media, using approved equipment can provide a level of assurance that that information residing on the media is actually destroyed.

Approved equipment includes destruction equipment listed in the Security Construction and Equipment Committee (SCEC)’s Security Equipment Evaluated Products List, the Australian Security Intelligence Organisation (ASIO)’s Security Equipment Guide (SEG)-009, Optical Media Shredders, and ASIO’s SEG-018, Destructors. ASIO’s SEG-009 and SEG-018 are available from the Protective Security Policy govdex community or ASIO by email.

If using degaussers to destroy media, the United States’ National Security Agency maintains a list of evaluated degaussers while the United Kingdom’s National Cyber Security Centre maintains a list of certified degaussers.

Media destruction methods

The destruction methods given below are designed to ensure that recovery of information is impossible or impractical.

Treatment of media waste particles

Following destruction, normal accounting and auditing procedures for media do not apply. However, depending on the destruction method used and the resulting particle size, it may still need to be stored and handled as classified waste.

Degaussing magnetic media

Degaussing magnetic media changes the alignment of magnetic domains resulting in information being permanently corrupted.

Coercivity (the resistance of magnetic material to change) varies between magnetic media types and between brands and models of the same type of media. Care is needed when degaussing magnetic media since a degausser of insufficient strength will not be effective. The United States' National Security Agency provides information on the common types of magnetic media and their associated coercivity ratings with their list of evaluated degaussers.

Since 2006, perpendicular magnetic media has been available. As some degaussers are only capable of sanitising longitudinal magnetic media, care needs to be taken to ensure that a suitable degausser is used.

Finally, to ensure that degaussers are being used in the correct manner to achieve an effective destruction outcome, product-specific directions provided by degausser manufacturers should be followed.

Supervision of destruction

To verify that media is appropriately destroyed, the process needs to be supervised by at least one person cleared to the sensitivity or classification of the media being destroyed.

Supervision of accountable material destruction

Accountable material is more important than standard media. As such, its destruction should be supervised by at least two personnel who sign a destruction certificate afterwards.

Outsourcing media destruction

ASIO has approved National Association for Information Destruction AAA certified destruction services with endorsements, as specified in ASIO's Protective Security Circular (PSC)-167, External destruction of security classified information, for the outsourced destruction of media. ASIO's PSC-167 is available from the Protective Security Policy govdex community or ASIO by email.

Transporting media for external destruction

To prevent the unauthorised disclosure of official or classified information on media, it should be sanitised, if possible, before being transported to an off-site location for destruction.

Disposal of media

Before media, or its waste, can be released into the public domain it needs to be sanitised, destroyed or declassified. As the compromise of official information still presents a security risk, albeit minor, an appropriate authority needs to formally authorise its release into the public domain.

In addition, removing labels and markings indicating the classification, codewords, caveats, owner, system or network details will ensure media does not display indications of its prior use and draw undue attention following its disposal.

Operating system versions

Newer versions of operating systems often introduce improvements in security functionality over older versions. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover. Using older versions of operating systems, especially those no longer supported by vendors, exposes organisations to exploitation techniques that have since been mitigated in newer versions of operating systems.

The x64 (64-bit) versions of Microsoft Windows include additional security functionality that the x86 (32-bit) versions lack. Using x86 (32-bit) versions of Microsoft Windows exposes organisations to exploitation techniques mitigated by x64 (64-bit) versions of Microsoft Windows.

Operating system configuration

When operating systems are deployed in their default state it can easily lead to an unsafe operating environment allowing an adversary to gain an initial foothold on a network. Many options exist within operating systems to allow them to be configured in a secure state to minimise this security risk. The Australian Cyber Security Centre (ACSC) produces hardening guidance to assist in securely configuring various operating systems.

Local administrator accounts

When local administrator accounts are used with common account names and passphrases, it can allow an adversary that compromises these credentials on one workstation or server to easily transfer across a network to other workstations or servers.

Application management

While the ability to install applications may be a business requirement for users, this privilege can be exploited by an adversary who can email a malicious application, or host it on a compromised website, and use social engineering techniques to convince users into installing it. Even if privileged access is required to install applications, users will often use their privileged access if they believe, or can be convinced that, the requirement to install the application is legitimate. Additionally, if applications are configured to install using elevated privileges, an adversary can exploit this by creating a Windows Installer installation package to create a new account that belongs to the local administrators group.

Application whitelisting

An adversary can email malicious code, or host malicious code on a compromised website, and use social engineering techniques to convince users into executing it. Such malicious code often aims to exploit security vulnerabilities in existing applications and does not need to be installed to be successful.

Application whitelisting, when implemented in its most effective form (i.e. using hashes for executables, software libraries, scripts and installers) can be an extremely effective mechanism in not only preventing malicious code from executing, but also ensuring only authorised applications can be installed. Other implementations of application whitelisting (e.g. using approved paths for installed applications, in combination with access controls requiring privileged access to write to those locations) can still be a very effective mitigation strategy.

When developing application whitelisting rule sets, defining a list of approved executables (e.g. .exe and .com files), software libraries (e.g. .dll and.ocx files), scripts (e.g. .ps1, .bat, .cmd, .vbs and .js files) and installers (e.g. .msi, .msp and .mst files) from scratch is a more secure method than relying on a list of those currently residing on a workstation or server. Furthermore, it is preferable that organisations define their own approved list of executables, software libraries, scripts and installers rather than relying on lists from application whitelisting vendors.

Enhanced Mitigation Experience Toolkit and Exploit protection

An adversary who develops exploits for Microsoft Windows will be more successful in exploiting security vulnerabilities when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) has not been installed. EMET was designed to provide a number of system-wide mitigation measures while also providing application-specific mitigation measures. From Microsoft Windows 10 version 1709 and Microsoft Windows Server 2016 onwards, EMET functionality has been incorporated directly into the operating system as part of ‘Exploit protection’ functionality.

Host-based Intrusion Prevention System

Many endpoint security solutions rely on signatures to detect malicious code. This approach is only effective when a particular piece of malicious code has already been profiled and signatures are current. Unfortunately, an adversary can create variants of known malicious code, or develop new unseen malicious code, to bypass traditional signature-based detection mechanisms. A Host-based Intrusion Prevention System (HIPS) can use behaviour-based detection schemes to assist in identifying and blocking anomalous behaviour, such as process injection, keystroke logging, driver loading and call hooking, as well as detecting malicious code that has yet to be identified by antivirus vendors.

Software firewall

Network firewalls often fail to prevent the propagation of malicious code on a network, or an adversary from extracting important information, as they generally only control which ports or protocols can be used between different network segments. Many forms of malicious code are designed specifically to take advantage of this by using common protocols such as Hypertext Transfer Protocol, Hypertext Transfer Protocol Secure, Simple Mail Transfer Protocol and DNS. Software firewalls are more effective than network firewalls as they can control which applications and services can communicate to and from workstations and servers. The in-built Windows firewall should be used to control both inbound and outbound traffic for specific applications.

Antivirus software

When vendors develop software they may not use secure coding practices. An adversary can take advantage of this by developing malicious code to exploit security vulnerabilities that have not been detected and remedied. As significant time and effort is often involved in developing functioning and reliable exploits, an adversary will often reuse their exploits as much as possible. While exploits may be profiled by antivirus vendors, they often remain a variable intrusion method in organisations that do not have any measures in place to detect them.

Endpoint device control software

The use of endpoint device control software to control the use of unauthorised devices adds value as part of a defencein-depth approach to the protection of workstations and servers.

Application selection

When selecting applications it is important that organisations preference vendors that have demonstrated a commitment to secure coding practices and have a strong track record of maintaining the security of their applications. This will assist not only with hardening applications but also increase the likelihood that vendors will release timely patches to remediate any security vulnerabilities in their applications.

Application versions

Newer versions of applications often introduce improvements in security functionality over older versions. This can make it more difficult for an adversary to craft reliable exploits for security vulnerabilities they discover. Using older versions of applications, especially key business applications such as office productivity suites (e.g. Microsoft Office), Portable Document Format (PDF) viewers (e.g. Adobe Reader), web browsers (e.g. Microsoft Internet Explorer, Mozilla Firefox or Google Chrome), common web browser plugins (e.g. Adobe Flash), email clients (e.g. Microsoft Outlook) and software platforms (e.g. Oracle Java Platform and Microsoft .NET Framework), exposes organisations to exploitation techniques that have since been mitigated in newer versions of applications.

Hardening application configurations

By default, many applications enable functionality that is not required by users while security functionality may be disabled or set at a lower security level. This is especially risky for key business applications such as office productivity suites, PDF viewers, web browsers, common web browser plugins, email clients and software platforms that are likely to be targeted by an adversary. To assist in minimising this security risk, the ACSC produces hardening guidance to assist in securely configuring key business applications. Further, to assist in securely configuring their applications, vendors may provide their own security guides.

Microsoft Office macros

Microsoft Office files can contain embedded code (known as a macro) written in the Visual Basic for Applications programming language. A macro can contain a series of commands that can be coded or recorded, and replayed at a later time to automate repetitive tasks. Macros are powerful tools that can be easily created by users to greatly improve their productivity. However, an adversary can also create macros to perform a variety of malicious activities, such as assisting to compromise workstations in order to exfiltrate or deny access to sensitive or classified information. To reduce this security risk, organisations should disable or secure their use of Microsoft Office macros.

Account types

When this document refers to passphrase policies, it is equally applicable to all account types. This includes user accounts, privileged accounts and service accounts.

Authenticating to systems

Before access to a system and its resources is granted to a user, it is essential that the user is able to demonstrate their identity. This is typically achieved via single-factor authentication, such as a username and passphrase, or via multifactor authentication, such as a username along with biometric data and a numerical password.

Single-factor authentication

A significant threat to the compromise of user accounts is offline passphrase cracking tools. When an adversary gains access to a list of usernames and hashed passphrases from a system, they can attempt to recover passphrases by comparing the hash of a known passphrase with the hashes from the list of hashed passphrases that they obtained. By finding a match, an adversary will know the passphrase associated with a given username. Combined, this often forms a complete set of authentication information for an account. In order to reduce this security risk, organisations can implement multi-factor authentication. Alternatively, an organisation may attempt to increase the time on average it takes an adversary to compromise a passphrase by increasing both its complexity and length while decreasing the time it remains valid.

Multi-factor authentication

Multi-factor authentication uses independent methods to confirm a user’s identity.

• something a user knows, such as a passphrase or a response to a security question
• something a user has, such as a passport, physical token or an identity card
• something unique about a user, such as a fingerprint or their face's geometry.

Any two of these methods are required to have multi-factor authentication. If something a user knows is written down, or typed into a file and stored as plaintext, this evidence becomes something that a user has rather than something a user knows.

Privileged users, positions of trust, users of remote access solutions, and users with access to important data repositories are more likely to be targeted by an adversary due to their level of access. For this reason, it is especially important that multi-factor authentication is used for these accounts.

When implementing multi-factor authentication, a number of different authentication factors can be implemented in addition to passphrases. Unfortunately, some authentication factors such as those sent via Short Message Service are more susceptible to compromise by an adversary than others. For this reason, a limited number of authentication methods are recommended for use as part of a multi-factor authentication implementation.

The benefit of implementing multi-factor authentication can be diminished when credentials are reused on other systems. For example, when usernames and passphrases used as part of multi-factor authentication for remote access are the same as those used for corporate workstations. In such circumstances, if an adversary had compromised the device used for remote access they could capture the username and passphrase for reuse against a corporate workstation that did not require the use of multi-factor authentication.

Passphrase authentication

Local Area Network (LAN) Manager’s authentication mechanism uses a very weak hashing algorithm known as the LAN Manager hash algorithm. Passphrases hashed using the LAN Manager hash algorithm can easily be compromised using rainbow tables or brute force attacks.

Account lockouts

Locking an account after a specified number of failed logon attempts reduces the likelihood of successful passphrase guessing attacks. However, care should be taken as implementing account lockout functionality in a web application can increase the likelihood of a denial of service.

Resetting passphrases

To reduce the likelihood of social engineering being used to compromise accounts, users should provide sufficient evidence to verify their identity when requesting a passphrase reset.

• physically presenting themselves and their security pass to service desk personnel who then reset their passphrase
• physically presenting themselves to a known colleague who uses an approved online tool to reset their passphrase
• establishing their identity by responding correctly to a number of challenge response questions before resetting their own passphrase.

In addition, issuing accounts with unique complex reset passphrases ensures the security of the account is maintained during the passphrase reset process.

Protecting authentication information

Storing authentication information with a system that it grants access to increases the likelihood of an adversary gaining access to the system. For example, a passphrase should never be written down and stuck to a laptop or computer monitor.

If storing authentication information on a system, sufficient protection should be implemented to prevent the authentication information from being compromised as part of a targeted cyber intrusion. For example, usernames and passphrases for databases should be stored in a password vault rather than in a Microsoft Word or Excel document. In addition, secure transmission of authentication information reduces the likelihood of an adversary intercepting and using the authentication information to access a system under the guise of a valid user.

Session and screen locking

Session and screen locking prevents unauthorised access to a system which a user has already been authenticated to access.

Logon banner

Displaying a logon banner to users after they authenticate to a system reminds them of their security responsibilities.

• access to the system being restricted to authorised users
• acceptable usage and security policies for the system
• the user's agreement to abide by abovementioned policies
• legal ramifications of violating the abovementioned policies
• details of monitoring and auditing activities
• a point of contact for any questions.

What is secure system administration

Secure system administration allows organisations to be resilient in the face of targeted cyber intrusions by protecting administrator workstations and accounts from compromise, as well as making adversary movement throughout a network more difficult. If a secure system administration environment withstands a targeted cyber intrusion, incident response will be far more agile, the damage will be limited and remediation work will be completed faster.

Secure system administration of cloud-based resources

With the increased use of cloud-based resources, organisations may require administrative workstations to communicate with external assets on the Internet. In this scenario it is still important that security controls are put in place to prevent unnecessary communication with arbitrary hosts and protocols.

Administrative accounts

The use of the same credentials on both an administrator workstation and a user workstation puts the administrator workstation at risk of compromise if the user workstation is compromised. The table below provides clarification on the use of different accounts.

System administration process and procedures

A key component of secure system administration is ensuring that privileged actions are performed using an approved system administration process supported by system administration procedures. This will ensure that privileged actions are undertaken in a repeatable and accountable manner.

Separate administrator workstations

One of the greatest threats to the security of a network as a whole is the compromise of a workstation used for administration activities. Providing a physically separate hardened administrator workstation to privileged users, in addition to their workstation used for unprivileged user access, provides greater assurance that privileged activities and credentials will not be compromised.

Using different physical machines is considered the most secure solution to separate workstations; however, a riskbased approach may determine that a virtualisation-based solution is sufficient. In such cases, the unprivileged user environment should be the ‘guest’ and the administrative environment should be the ‘host’.

Multi-factor authentication

Multi-factor authentication is vital to any secure system administration implementation as it can limit the consequences of a compromise by preventing or slowing an adversary’s ability to gain unrestricted access to assets.

Multi-factor authentication may be implemented as part of the jump server authentication process rather than performing multi-factor authentication on all critical assets, some of which may not support multi-factor authentication.

Dedicated administration zones and communication restrictions

Administration security can be improved by segregating administrator workstations from the wider network. This can be achieved a number of ways, such as via the use of Virtual Local Area Networks, firewalls, network access controls and Internet Protocol Security Server and Domain Isolation.

It is recommended that segmentation and segregation be applied regardless of whether privileged users have physically separate administrator workstations or not.

Restriction of management traffic flows

Limiting the flow of management traffic to only those network elements and segments explicitly required to communicate with each other can reduce the consequences of a network compromise and make it easier to detect if it does occur.

Although user workstations will have a need to communicate with critical assets such as web servers or domain controllers in order to function, it is highly unlikely that they will need to send or receive management traffic (such as Remote Desktop Protocol , Secure Shell and similar protocols) to these assets.

The following diagram outlines how management traffic filtering could be implemented between a network comprising different network zones. The only flows of management traffic allowed are those between the ‘Administrator Workstation Zone’ and the ‘Jump Server Zone’ as well as the ‘Jump Server Zone’ and the ‘Critical Asset Zone’. All other traffic is blocked as there is no reason for management traffic to flow between the other network zones.

Jump servers

A jump server (also known as a jump host or jump box) is used to manage important or critical resources in a separate security domain. The use of jump servers as a form of ‘management proxy’ can be an effective way of simplifying and securing privileged activities.

• an efficient and effective focal point to perform multi-factor authentication
• a single place to store and patch management tools
• simplified implementation of management traffic filtering
• a focal point for logging, monitoring and alerting.

In a typical scenario, if a privileged user wanted to perform administrative activities they would connect directly to the target server using RDP or SSH. However, in a jump server setup the privileged user would first connect and authenticate to the jump server, then RDP, SSH, or use remote administration tools to access the target server.

When implementing a jump server, it is recommended that organisations implement multi-factor authentication, enforce strict device communication restrictions, and harden administrative infrastructure, otherwise a jump server will yield little security benefit.

Patching approaches

• fixes that can be applied to pre-existing application versions
• fixes incorporated into new applications or drivers that require pre-existing versions to be replaced
• fixes that require the overwriting of firmware on ICT equipment.

When patches are not available

When patches are not available for security vulnerabilities there are a number of approaches that can be undertaken to reduce security risks. In priority order this includes resolving the security vulnerability, preventing exploitation of the security vulnerability, containing the exploitation of the security vulnerability or detecting exploitation of the security vulnerability.

• disabling the functionality associated with the security vulnerability
• engaging a software developer to resolve the security vulnerability
• changing to different software or ICT equipment with a more responsive vendor.

• applying external input sanitisation (if an input triggers the exploit)
• applying filtering or verification on output (if the exploit relates to an information disclosure)
• applying additional access controls that prevent access to the security vulnerability
• configuring firewall rules to limit access to the security vulnerability.

• applying firewall rules limiting outward traffic that is likely in the event of an exploitation
• applying mandatory access control preventing the execution of exploitation code
• setting file system permissions preventing exploitation code from being written to disk.

• deploying a Host-based Intrusion Prevention System (HIPS)
• monitoring logging alerts
• using other mechanisms for the detection of exploits using the known security vulnerability.

Patch management process and procedures

Applying patches or updates is critical to ensuring the security of applications, drivers, operating systems and firmware in workstations, servers, mobile devices, network devices and all other ICT equipment. To assist in this, information sources should be monitored for information about new patches or updates.

When to patch security vulnerabilities

There are multiple information sources that organisations can use to assess the applicability and impact of security vulnerabilities in the context of their environment. This can include information published in vendor security bulletins or in severity ratings assigned to security vulnerabilities using standards such as the Common Vulnerability Scoring System.

Once a patch is released by a vendor, and the associated security vulnerability has been assessed for its applicability and importance, the patch should be deployed in a timeframe that is commensurate with the security risk. Doing so ensures that resources are spent in an effective and efficient manner by focusing effort on the most significant security risks first.

If a patch is released for high assurance ICT equipment, the ACSC will conduct an assessment of the patch and may revise the ICT equipment’s usage guidance. Where required, the Australian Signals Directorate will conduct an assessment of any cryptographic security vulnerability and the ACSC may revise usage guidance in the Consumer Guide or Australian Communications Security Instruction. If a patch for high assurance ICT equipment is approved for deployment, the ACSC will inform organisations of the timeframe in which the patch is to be deployed.

If no patches are immediately available for security vulnerabilities, temporary workarounds may provide the only effective protection until patches become available. These workarounds may be published in conjunction with, or soon after, security vulnerability announcements. Temporary workarounds may include disabling the vulnerable functionality within the operating system, application or device, or restricting or blocking access to the vulnerable service using firewalls or other access controls. The decision as to whether a temporary workaround is implemented should be riskbased, as with patching.

How to patch security vulnerabilities

To ensure that patches are applied consistently across an organisation’s workstation and server fleet, it is essential that organisations use a centralised and managed approach. This will assist in ensuring the integrity and authenticity of patches being applied to workstations and servers.

Cessation of support

When applications, operating systems and ICT equipment reach their cessation date for support, organisations will find it increasingly difficult to protect against security vulnerabilities as patches, or other forms of support, will not be made available by vendors. While the cessation date for support for operating systems is generally advised many years in advance by vendors, other applications and ICT equipment may cease to receive support immediately after a newer version is released by a vendor.

Identifying the need for change

• identification of security vulnerabilities or cyber threats
• users identifying problems or a need for system enhancements
• upgrades or patches for software or ICT equipment
• vendors notifying the end of life for software or ICT equipment
• the implementation of new software or ICT equipment
• organisational or business process changes
• other continuous improvement activities.

Change management process and procedures

The use of a change management process ensures that changes to systems are made in an accountable manner with appropriate consultation and approval. Furthermore, a change management process provides an opportunity for the security impact of any changes to systems to be considered.

In implementing changes to systems, it is important that change management procedures clearly articulate the steps to be taken for each part of the change management process.

Digital preservation policy

Developing and implementing a digital preservation policy as part of digital continuity planning can assist in ensuring the long term integrity and availability of important information is maintained. Especially when taking into account the potential for data degradation and media, hardware and software obsolesce.

Data backup and restoration processes and procedures

Having data backup and restoration processes and procedures is an important part of business continuity and disaster recovery planning. Such activities will also form an integral part of an overarching digital preservation policy.

Performing backups

When performing backups, all important information, software and configuration settings for software, network devices and other ICT equipment should be captured on a daily basis. This will ensure that should a system fall victim to a ransomware attack, important information will not be lost and that business operations will have reduced downtime.

Backup storage

To mitigate the likelihood of information becoming unavailable due to accidental or malicious deletion of backups, organisations should ensure that backups are protected from unauthorised modification, corruption and deletion. This can be achieved by storing backups offline, ideally at multiple geographically-dispersed locations, or online but in a nonrewritable and non-erasable manner, such as through the use of write once, read many technologies.

Retention periods for backups

To prevent backups from being retained for an insufficient amount of time to allow for the recovery of information, organisations are strongly encouraged to store backups for three months or greater. In addition, when determining backup retention times, organisations are encouraged to consult with relevant retention requirements as documented in the National Archives of Australia’s Administrative Functions Disposal Authority publication.

Testing restoration of backups

To ensure that backups can be restored when the need arises, it is important that full restoration of backups has been tested at least once following the implementation of backup technologies and processes. Furthermore, full restoration of backups should be tested each time fundamental information technology changes occur, such as when deploying new backup technologies. In the intervening time, it is important that regular testing in the form of partial restoration of backups is undertaken.

Event logging policy

By developing an event logging policy, an organisation can improve their chances of detecting malicious behaviour on systems and networks. Such an event logging policy would cover events to be logged, logging facilities to be used, event log retention periods and how event logs will be protected.

Centralised logging facility

A centralised logging facility can be used to correlate event logs from multiple sources. This functionality may be provided by a Security Information and Event Management solution.

Events to be logged

The following list of events can assist in monitoring the security posture of systems, detecting malicious behaviour and contributing to investigations following cyber security incidents.

Events log details

For each event logged, sufficient detail needs to be recorded in order for the event log to be useful.

Event log protection

Effective event log protection and storage ensures the integrity and availability of captured event logs.

Event log retention

Since event logs can contribute to investigations following cyber security incidents, they should ideally be retained for the life of a system, and potentially longer. However, the minimum retention requirement for these records under the National Archives of Australia's Administrative Functions Disposal Authority publication is seven years.

Event log auditing process and procedures

Auditing of event logs is an integral part of maintaining the security posture of systems. Such activities can help detect and attribute any violations of security policy, including cyber security incidents.

Vulnerability management policy

Vulnerability management activities can assist organisations to be proactive in identifying, prioritising and responding to security vulnerabilities. Measures to monitor and manage security vulnerabilities in systems can also provide organisations with a wealth of valuable information about their exposure to cyber threats, as well as assisting them to determine security risks associated with the operation of systems. Undertaking regular vulnerability management activities is important as cyber threats will change over time.

Conducting vulnerability assessments and penetration tests

A vulnerability assessment can consist of a documentation-based review of a system’s design, an in-depth hands-on assessment or automated scanning with software tools. In each case, the goal is to identify as many security vulnerabilities as possible. A penetration test however is designed to exercise real-world targeted cyber intrusion scenarios in an attempt to achieve a specific goal, such as compromising critical systems or information.

Conducting a vulnerability assessment and penetration test prior to systems being deployed, and after significant changes, can allow an organisation to establish a baseline for system monitoring activities. In addition, conducting a vulnerability assessment and penetration test annually can ensure that the latest cyber threats are being addressed.

Overall, a vulnerability assessment or penetration test should be conducted by suitably skilled personnel independent of the system being assessed. Such personnel can be internal to an organisation or a third party. Where possible, it is advisable that system managers do not conduct such activities themselves. This ensures that there is no conflict of interest, perceived or otherwise, and that the activities are undertaken in an objective manner.

Development environments

Segregating software development, testing and production environments can limit the spread of malicious code and minimises the likelihood of faulty code in a production environment.

Secure software design

Threat modelling is an important part of secure software design. Threat modelling identifies at risk components of software, enabling security controls to be identified to reduce security risks.

Secure programming practices

Once a secure software design has been identified, secure programming practices should be followed during software development activities.

Software testing

Software testing will lessen the possibility of security vulnerabilities in software being introduced into a production environment. Software testing can be performed using both static testing, such as code analysis, as well as dynamic testing, such as input validation and fuzzing. Using an independent party for software testing will remove any bias that can occur when a software developer tests their own software.

Protecting web applications

Even when a web application only contains public information, there remains a need to protect the integrity and availability of the information processed by the web application and the system it is hosted on.

Web application frameworks

Web application frameworks can be leveraged by software developers to enhance the security of a web application while decreasing development time. These resources can assist software developers to securely implement complex components such as session management, input handling and cryptographic operations.

Input handling

Most web application vulnerabilities are caused by the lack of secure input handling. It is essential that web applications do not trust any input such as the website address and its parameters, Hypertext Markup Language (HTML) form data, cookie values and Hypertext Transfer Protocol (HTTP) request headers without validating or sanitising it.

• ensuring a telephone form field contains only numerals
• ensuring data used in a Structured Query Language query is sanitised properly
• ensuring Unicode input is handled appropriately.

Output encoding

The likelihood of cross-site scripting and other content injection attacks can be reduced through the use of contextual output encoding. The most common example of output encoding is the use of HTML entities. Performing HTML entity encoding causes potentially dangerous HTML characters such as '<', '>' and '&' to be converted into their encoded equivalents '<', '>' and '&'.

Output encoding is particularly useful where external data sources, which may not be subject to the same level of input filtering, are output to users.

Web browser-based security controls

Web browser-based security controls such as Content Security Policy, HTTP Strict Transport Security and Frame Options can be leveraged by web applications to help protect both web applications and their users.

These security controls are implemented by the web application via the insertion of HTTP headers containing security policy in outgoing responses. Web browsers then apply the security controls according to the defined security policy. Since the security controls are applied via HTTP headers, it makes it possible to apply the security controls to legacy or proprietary web applications where changes to the source code are impractical.

Open Web Application Security Project

The Open Web Application Security Project (OWASP) provides a comprehensive resource to consult when developing web applications.

Protecting database server contents

Database server contents can be protected from unauthorised access (e.g. by the physical theft of a database server or failure to sanitise database server hardware before disposal) through the use of encryption.

Functional separation between database servers and web servers

Placing databases used by web applications on the same physical server as a web server can expose them to an increased possibility of compromise by an adversary.

Communications between database servers and web servers

Information communicated between database servers and web applications, especially over the Internet, is susceptible to capture by an adversary.

Network environment

Placing database servers on the same network segment as an organisation’s workstations and allowing them to communicate with other network resources exposes them to an increased possibility of compromise by an adversary. Alternatively, in cases where databases will only be accessed from their own database server, allowing remote access to the database server poses an unnecessary security risk.

Separation of production, test and development database servers

Using production database servers for test and development activities could result in accidental damage to their integrity or contents.

Temporary installation files and logs

DBMS software will often leave behind temporary installation files and logs during the installation process, in case an administrator needs to troubleshoot a failed installation. Information in these files, which can include passphrases in the clear, could provide valuable information to an adversary.

Hardening and configuration

Poorly configured DBMS software could provide an opportunity for an adversary to gain unauthorised access to database content. To assist organisations in deploying DBMS software, vendors often provide guidance on how to securely configure their DBMS software. Furthermore, DBMS software is often installed with most features enabled by default.

Restricting privileges

If DBMS software operating as a local administrator or root account is compromised by an adversary, it can present a significant security risk to the underlying operating system.

DBMS software is also often capable of accessing files that it has read access to on the database server. For example, an adversary using an SQL injection could use the command LOAD DATA LOCAL INFILE ‘etc/passwd’ INTO TABLE Users or SELECT load_file(“/etc/passwd”) to access the contents of a Linux password file. Disabling the ability of the DBMS software to read local files from a server will prevent such SQL injection from succeeding. This could be performed, for example, by disabling use of the LOAD DATA LOCAL INFILE command.

Database administrator accounts

DBMS software often comes pre-configured with default database administrator accounts and passphrases that are listed in vendor documentation. These default database administrator accounts should be disabled, renamed or have their passphrases changed.

When sharing database administrator accounts for the performance of administrative tasks, any actions undertaken will not be attributable to an individual database administrator. This can hinder investigations relating to an attempted, or successful, targeted cyber intrusion. Furthermore, database administrator accounts shared across different databases can exacerbate any compromise of a database administrator account by an adversary.

When creating new database administrator accounts, the accounts are often allocated all privileges available to administrators. Most database administrators will only need a subset of all available privileges to undertake their authorised duties.

Database register

Without knowledge of all the databases in an organisation, and the information they contain, an organisation will be unable to appropriately protect their assets.

Protecting database contents

Database contents can be protected from unauthorised copying and subsequent offline analysis by applying file-based access controls to database files.

Protecting authentication credentials in databases

Storing authentication credentials such as usernames and passphrases as plaintext in databases poses a significant security risk. An adversary that manages to gain access to a database’s contents could extract these authentication credentials to gain access to users’ accounts. In addition, it is possible that a user could have reused a username and passphrase for their workstation posing an additional security risk.

Protecting database contents

Database administrators and database users should know the sensitivity or classification associated with a database and its contents to ensure that sufficient security controls are applied. In cases where all of a database’s contents are the same sensitivity or classification an organisation may choose to classify the entire database at this level. Alternatively, in cases where a database’s contents are of varying sensitivity or classification levels, and database users have differing levels of access to such information, an organisation may choose to apply classifications at a more granular level within the database.

Limiting database user’s ability to access, insert, modify or remove content from databases based on their work duties ensures the need-to-know principle is applied and the likelihood of unauthorised modifications is reduced.

Aggregation of database contents

Where concerns exist that the sum, or aggregation, of separate pieces of information from within databases could lead to an adversary determining more sensitive or classified information, database views in combination with database user access roles should be implemented. Alternatively, the information of concern could be separated by implementing multiple databases, each with restricted data sets. If implemented properly, this will ensure an adversary cannot access the sum of information components leading to the aggregated information.

Separation of production, test and development databases

Using information from production databases in test or development databases could result in inadequate protection being applied to the information.

Web application interaction with databases

SQL injection is a significant threat to the confidentiality, integrity and availability of database contents. SQL injections can allow an adversary to steal information from databases, modify database contents, delete an entire database or even in some circumstances gain control of the underlying database server. Furthermore, when database queries from web applications fail they may display detailed error information about the database schema to users of the web application. This can be used by an adversary to tailor SQL injection attempts.

Email usage policy

There are many security risks associated with the use of email that are often overlooked by users. Documenting these security risks, and associated mitigations, in an email usage policy will inform users of precautions to take when using email.

Webmail services

When users access non-approved webmail services they are effectively bypassing email content filtering controls as well as other security controls that may have been implemented for an organisation’s email gateways and servers. While web content filtering controls may mitigate some security risks (e.g. some forms of malicious attachments), they are unlikely to address specific security risks relating to emails (e.g. spoofed email contents).

Protective markings for emails

Implementing protective markings for emails ensures that appropriate security controls are applied to information, and also helps to prevent unauthorised information being released into the public domain. In doing so, it is important that protective markings accurately reflect the information in the subject, body and attachments of emails.

Protective marking tools

Requiring user involvement in the marking of emails ensures a conscious decision by users, thereby lessening the chance of incorrectly marked emails. In addition, allowing users to select only protective markings for which a system is authorised to process, store or communicate lessens the chance of users inadvertently over-classifying an email. This also serves to remind users of the maximum sensitivity or classification of information permitted on a system.

Email content filters may only check the most recent protective marking applied to an email. Therefore, when users are responding to or forwarding an email, requiring a protective marking which is at least as high as that of the email they received will help email content filters prevent emails being sent to systems that are not authorised to handle the original sensitivity or classification of the email.

Handling emails with inappropriate, invalid or missing protective markings

It is important that email servers are configured to block emails with inappropriate protective markings. For example, blocking inbound and outbound emails with a protective marking higher than the sensitivity or classification of the receiving system will prevent a data spill from occurring. In doing so, it is important to inform recipients of blocked inbound emails, and the sender of blocked outbound emails, that this has occurred.

If an email is received with an invalid or missing protective marking it may still be passed to its intended recipients; however, the recipients will have an obligation to determine the appropriate protective marking for the email if it is to be responded to, forwarded or printed. If unsure, the sender of the original email should be contacted to seek clarification of handling requirements.

Email distribution lists

Often the membership and nationality of members of email distribution lists is unknown. Therefore, users sending emails with Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) or Releasable To (REL) information to distribution lists could accidentally cause a data spill.

Centralised email gateways

Without a centralised email gateway it is difficult to deploy Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and protective marking checks.

Email gateway maintenance activities

An adversary will often avoid using an organisation’s primary email gateway when sending malicious emails. This is because backup and alternative email gateways are often poorly maintained in terms of patches and email content filtering controls. As such, it is important that extra effort is made to ensure that backup and alternative email gateways are maintained to the same standard as the primary email gateway.

Open relay email servers

An open relay email server (or open mail relay) is a server that is configured to allow anyone on the Internet to send emails through that email server. Such configurations are highly undesirable as spammers and worms can exploit them.

Email server transport encryption

Emails can be intercepted anywhere between originating email servers and destination email servers. Enabling Transport Layer Security (TLS) on email servers will mitigate the compromise of email traffic, with the exception of cryptanalysis of email traffic.

Implementing Internet Engineering Task Force (IETF) Request for Comments (RFC) 3207 can protect email traffic while ensuring email servers remain compatible with other email servers due to the use of opportunistic TLS encryption.

Sender Policy Framework

SPF, and alternative implementations such as Sender ID, aid in the detection of spoofed emails. This is achieved by SPF records specifying a list of Internet Protocol addresses or domains that are allowed to send emails from specific domains. If an email server that sends an email is not in the SPF record for that domain, verification will fail.

DomainKeys Identified Mail

DKIM enables the detection of spoofed email contents. This is achieved by DKIM records specifying the public key used to sign an email’s contents. Specifically, if the signed digest in the email header does not match the signed contents of the email, verification will fail.

Domain-based Message Authentication, Reporting and Conformance

Domain-based Message Authentication, Reporting and Conformance (DMARC) enables a domain owner to specify what action receiving email servers should take if they receive an email that fails a SPF/Sender ID or DKIM check. This includes ‘reject’ (the email is rejected), ‘quarantine’ (the email is marked as spam) or ‘none’ (no action is taken).

DMARC also provides a reporting feature which enables a domain owner to receive reports on the actions taken by receiving email servers. While this feature does not mitigate malicious emails sent to the domain owner’s organisation, it can give the domain owner some visibility of attempts by adversaries to spoof their organisation’s domains.

Email content filtering

Content filtering performed on email bodies and attachments provides a defence-in-depth approach to preventing malicious content being introduced into a network. Specific guidance on implementing email content filtering can be found in the Australian Cyber Security Centre (ACSC)’s Malicious Email Mitigation Strategies publication.

Blocking suspicious emails

Blocking specific types of emails reduces the likelihood of phishing emails entering an organisation’s network.

Undeliverable messages

Undeliverable or bounce emails are commonly sent by receiving email servers when an email cannot be delivered, usually because the destination address is invalid. Due to the common spamming practice of spoofing sender addresses, this often results in a large amount of bounce emails being sent to an innocent third party. Sending bounces only to senders that can be verified via SPF, or other trusted means, avoids contributing to this problem and allows trusted parties to receive legitimate bounce messages.

Network documentation

It is important that network documentation accurately depicts the current state of a network. This typically includes network devices such as firewalls, data diodes, intrusion detection and prevention systems, routers, switches, and critical servers and services. Furthermore, as this documentation could be used by an adversary to assist in compromising a network, it is important that it is appropriately protected.

Network segmentation and segregation

Network segmentation and segregation is one of the most effective security controls to prevent an adversary from propagating through a network and accessing target information after they have gained initial access. Technologies to enforce network segmentation and segregation also contain logging functionality that can be valuable in detecting an intrusion and, in the event of a compromise, isolating compromised devices from the rest of a network.

Network segmentation and segregation involves separating a network into multiple functional network zones with a view to protecting important information and critical services. For example, one network zone may contain user workstations while another network zone contains authentication servers. Proper network segmentation and segregation also assists in the creation and maintenance of proper network access control lists.

Using Virtual Local Area Networks

Virtual Local Area Networks (VLANs) can be used to implement network segmentation and segregation as long as the networks are all official networks or all the same classification. In such cases, if a data spill occurs between the networks the impact will be lesser than if a data spill occurred between two networks of different classifications or between an official or classified network and public network infrastructure.

For the purposes of this section, Multiprotocol Label Switching is considered to be equivalent to VLANs and is subject to the same controls.

Using Internet Protocol version 6

Internet Protocol version 6 (IPv6) functionality can introduce additional security risks to a network. As such, disabling IPv6 functionality until it is intended to be used will minimise the attack surface of the network and ensure that any IPv6 functionality that is not intended to be used cannot be exploited.

To aid in the transition from Internet Protocol version 4 (IPv4) to IPv6, numerous tunnelling protocols have been developed that are designed to allow interoperability between the protocols. Disabling IPv6 tunnelling protocols on network devices and ICT equipment that do not explicitly require such functionality will prevent an adversary bypassing traditional network defences by encapsulating IPv6 data inside IPv4 packets.

Stateless Address Autoconfiguration (SLAAC) is a method of stateless Internet Protocol (IP) address configuration in IPv6 networks. SLAAC reduces the ability of an organisation to maintain effective logs of IP address assignment on a network. For this reason, stateless IP addressing should be avoided.

Network access controls

If an adversary has limited opportunities to connect to a network, they have limited opportunities to compromise that network. Network access controls not only prevent unauthorised access to a network but also prevent users carelessly connecting a network to another network.

Network access controls are also useful in segregating information for specific users with a need-to-know or limiting the flow of information between network segments. For example, computer management traffic can be permitted between workstations and systems used for administration purposes but not permitted between standard user workstations.

Network device register

Maintaining and regularly auditing a register of authorised network devices can assist in determining whether devices such as switches, routers, wireless access points and internet dongles on a network or connected directly to workstations are rogue or not. The use of automated discovery and mapping tools can assist in this process.

Default accounts for network devices

Network devices can come pre-configured with default credentials. For example, wireless access points with an administrator account named ‘admin’ and a passphrase of ‘admin’ or ‘password’. Ensuring default accounts are disabled, renamed or have their passphrase changed can assist in reducing the likelihood of their exploitation by an adversary.

Disabling unused physical ports on network devices

Disabling unused physical ports on network devices such as switches, routers and wireless access points reduces the opportunity for an adversary to connect to a network if they can gain physical access to network devices.

Functional separation between servers

Implementing functional separation between servers can reduce the security risk that a server compromised by an adversary will pose an increased security risk to other servers.

Functional separation between server-side computing environments

Software-based isolation mechanisms are commonly used to share a physical server’s hardware among multiple computing environments. The benefits of using software-based isolation mechanisms to share a physical server’s hardware include increasing the range of activities that it can be used for and maximising the utilisation of its hardware.

A computing environment could consist of an entire operating system installed in a virtual machine where the isolation mechanism is a hypervisor, as is commonly used in cloud services providing Infrastructure as a Service. Alternatively, a computing environment could consist of an application which uses the shared kernel of the underlying operating system of the physical server where the isolation mechanisms are application containers or application sandboxes, as is commonly used in cloud services providing Platform as a Service. The logical separation of data within a single application, which is commonly used in cloud services providing Software as a Service, is not considered to be the same as multiple computing environments.

An adversary who has compromised a single computing environment, or who legitimately controls a single computing environment, might exploit a misconfiguration or security vulnerability in the isolation mechanism to compromise other computing environments on the same physical server, or compromise the underlying operating system of the physical server.

Management traffic

Implementing security measures specifically for management traffic provides another layer of defence on a network should an adversary find an opportunity to connect to that network. This also makes it more difficult for an adversary to enumerate a network.

Use of Simple Network Management Protocol

The Simple Network Management Protocol (SNMP) can be used to monitor the status of network devices such as switches, routers and wireless access points. The first two iterations of SNMP were inherently insecure as they used trivial authentication methods. Furthermore, changing all default SNMP community strings on network devices and limiting access to read-only access is strongly encouraged.

Using Network-based Intrusion Detection and Prevention Systems

A Network-based Intrusion Detection System (NIDS) or Network-based Intrusion Prevention System (NIPS), when configured correctly and supported by suitable processes and resources, can be an effective way of identifying and responding to known intrusion profiles.

In addition, generating alerts for information flows that contravene any rule in a firewall rule set can help security personnel respond to suspicious or malicious traffic entering a network due to a failure or configuration change to firewalls.

Choosing wireless access points

Wireless access points that have been certified against a Wi-Fi Alliance certification program provide an organisation with the assurance that they conform to wireless standards. Deploying wireless access points that are guaranteed to be interoperable with other wireless access points will prevent any problems on a wireless network.

Wireless networks for public access

When an organisation provides a wireless network for the general public, connecting such a wireless network to, or sharing infrastructure with, any other network creates an additional entry point for an adversary to target connected networks to steal information or disrupt services.

Administrative interfaces for wireless access points

Administrative interfaces allow users to modify the configuration and security settings of wireless access points. Often wireless access points, by default, allow users to access the administrative interface over methods such as fixed network connections, wireless network connections and serial connections. Disabling the administrative interface for wireless network connections on wireless access points will assist in preventing unauthorised connections.

Default Service Set Identifiers

Some wireless access points come with a default Service Set Identifier (SSID) which is used to identify a wireless network. As the default SSIDs of wireless access points are often documented on online forums, along with default accounts and passphrases, it is important to change the default SSID of wireless access points.

When changing the default SSID, it is important that the new SSID does not bring undue attention to an organisation’s wireless network. In doing so, the SSID of a wireless network should not be readily associated with an organisation, the location of their premises or the functionality of the wireless network.

A method commonly recommended to lower the profile of a wireless network is disabling SSID broadcasting. While this ensures that the existence of the wireless networks is not broadcast overtly using beacon frames, the SSID is still broadcast in probe requests, probe responses, association requests and re-association requests. As such, it is easy to determine the SSID of the wireless network by capturing these requests and responses. By disabling SSID broadcasting, organisations will make it more difficult for users to connect to a wireless network. Furthermore, an adversary could configure a malicious wireless access point to broadcast the same SSID as the hidden SSID used by a legitimate wireless network, thereby fooling users or devices into automatically connecting to the adversary’s malicious wireless access point instead. In doing so, the adversary could steal authentication credentials in order to gain access to the legitimate wireless network. For these reasons, it is recommended organisations enable SSID broadcasting.

Static addressing

Assigning static IP addresses for devices accessing wireless networks can prevent a rogue device when connecting to a wireless network from being assigned a routable IP address. However, some adversaries will be able to determine IP addresses of legitimate users and use this information to guess or spoof valid IP address ranges for wireless networks. Configuring devices to use static IP addresses introduces a management overhead without any tangible security benefit.

Media Access Control address filtering

Devices that connect to wireless networks generally have a unique Media Access Control (MAC) address. As such, it is possible to use MAC address filtering on wireless access points to restrict which devices can connect to a wireless network. While this approach will introduce a management overhead for configuring whitelists of approved MAC addresses, it can prevent rogue devices from connecting to a wireless network. However, some adversaries will be able to determine valid MAC addresses of legitimate users already on a wireless network. Adversaries can then use this information to spoof valid MAC addresses and gain access to the wireless network. MAC address filtering introduces a management overhead without any tangible security benefit.

802.1X authentication

When an organisation chooses to deploy a wireless network, a number of Extensible Authentication Protocol (EAP) methods that are supported by the Wi-Fi Protected Access 2 (WPA2) protocol can be chosen. These EAP methods include WPA2-Enterprise with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), WPA2-Enterprise with Extensible Authentication Protocol-Tunnelled Transport Layer Security or WPA2-Enterprise with Protected Extensible Authentication Protocol.

WPA2-Enterprise with EAP-TLS is considered one of the most secure EAP methods. Furthermore, due to its inclusion in the initial release of the WPA2 standard, it enjoys wide support in wireless access points and operating systems. EAPTLS uses a public key infrastructure (PKI) to secure communications between devices and a Remote Access Dial-In User Service (RADIUS) server through the use of x.509 certificates. While EAP-TLS provides strong mutual authentication, it requires an organisation to have established a PKI. This involves deploying their own certificate authority and issuing certificates, or purchasing certificates from a commercial certificate authority, for every device that accesses the wireless network. While this introduces additional costs and management overheads, the security advantages are significant.

Evaluation of 802.1X authentication implementation

The security of 802.1X authentication is dependent on three main elements and how they interact with each other. These three elements include supplicants (clients) that support the 802.1X authentication protocol; authenticators (wireless access points) that facilitate communication between supplicants and the authentication server; and the RADIUS server that is used for authentication, authorisation and accounting purposes. To provide assurance that these elements have been implemented correctly, supplicants, authenticators and the authentication server should have completed an evaluation.

Generating and issuing certificates for authentication

When issuing a certificate to a device in order to access a wireless network, organisations should be aware that it could be stolen by malicious code. Once compromised, the certificate could be used on other devices to gain unauthorised access to the wireless network it was issued for. Organisations should also be aware that in only issuing a certificate to a device, any actions taken by a user will only be attributable to a device and not a specific user.

When issuing a certificate to a user in order to access a wireless network, it can be in the form of a certificate that is stored on a device or a certificate that is stored within a smart card. Issuing certificates on smart cards provides increased security, but at a higher cost. Specifically, a user is more likely to notice a missing smart card and alert their security team, who are then able to revoke the credentials on the RADIUS server, which can minimise the time an adversary has access to the wireless network. In addition, to reduce the likelihood of a stolen smart card from being used to gain unauthorised access to a wireless network, two-factor authentication can be implemented through the use of personal identification numbers (PINs) on smart cards. This is particularly important when a smart card grants a user any form of administrative access.

Caching 802.1X authentication outcomes

When 802.1X authentication is used, a shared secret key known as the Pairwise Master Key (PMK) is generated. Upon successful authentication of a device, the PMK is capable of being cached to assist with fast roaming between wireless access points. When a device roams away from a wireless access point that it has authenticated to, it will not need to perform a full re-authentication should it roam back while the cached PMK remains valid. To further assist with roaming, wireless access points can be configured to pre-authenticate a device to other neighbouring wireless access points that the device might roam to. Although requiring full authentication for a device each time it roams between wireless access points is ideal, organisations can choose to use PMK caching and pre-authentication if they have a business requirement for fast roaming. If PMK caching is used, the PMK caching period should not be set to greater than 1440 minutes (24 hours).

Remote Authentication Dial-In User Service authentication

Separate to the 802.1X authentication process is the RADIUS authentication process that occurs between wireless access points and a RADIUS server. To protect authentication information communicated between wireless access points and a RADIUS server, communications should be encapsulated with an additional layer of encryption.

Encryption of wireless network traffic

As wireless networks are often capable of being accessed from outside the perimeter of secured spaces, all wireless network traffic should be encrypted. Depending on the sensitivity or classification of information being communicated, this may involve using an Australian Signals Directorate (ASD) Approved Cryptographic Protocol, an evaluated product or High Assurance Cryptographic Equipment.

Interference between wireless networks

Where multiple wireless networks are deployed in close proximity, there is the potential for interference to impact the availability of a wireless network, especially when operating on commonly used 802.11b/g (2.4 GHz) default channels of 1 and 11. Sufficiently separating wireless networks through the use of frequency separation can help reduce this security risk. This can be achieved by using wireless networks that are configured to operate on channels that minimise overlapping frequencies or by using both 802.11b/g (2.4 GHz) channels and 802.11n (5 GHz) channels. It is important to note though, if implementing a mix of 2.4 GHz and 5 GHz channels, not all devices may be compatible with 802.11n and able to connect to 5 GHz channels.

Protecting management frames on wireless networks

An effective denial of service can be performed by exploiting unprotected management frames using inexpensive commercial hardware. The 802.11 standard provides no protection for management frames and therefore does not prevent spoofing or denial of service activities. However, the 802.11w amendment specifically addresses the protection of management frames on wireless networks and should be enabled.

Wireless network footprint

Instead of deploying a small number of wireless access points that broadcast on high power, a greater number of wireless access points that use less broadcast power can be deployed to achieve the desired footprint. This has the benefit of providing service continuity should a wireless access point become unserviceable. In such a case, the output power of nearby wireless access points can be increased to cover the footprint gap until the unserviceable wireless access point can be replaced.

In addition to minimising the output power of wireless access points to reduce the footprint of a wireless network, the use of Radio Frequency (RF) shielding can be used for an organisation’s premises. While expensive, this will limit the wireless communications to areas under the control of an organisation. RF shielding on an organisation’s premises has the added benefit of preventing the jamming of wireless networks from outside of the premises in which wireless networks are operating.

Denial-of-service attacks

Denial-of-service attacks are designed to disrupt or degrade online services such as website, email and Domain Name System services.

• using multiple computers to direct a large volume of unwanted network traffic at online services in an attempt to consume all available network bandwidth
• using multiple computers to direct tailored traffic at online services in an attempt to consume the processing resources of online services
• hijacking online services in an attempt to redirect legitimate users away from those services to other services that the adversary controls.

Although an organisation cannot avoid being targeted by denial-of-service attacks, there are a number of measures they can implement to prepare for and potentially reduce the impact if targeted. Preparing for denial-of-service attacks before they occur is by far the best strategy, it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.

Determining essential online services

Not all online services or functionality offered by an organisation may be business critical. Understanding what services can be offered with reduced functionality, deprioritised, disabled or lived without can help an organisation reduce or eliminate the impact on other more essential services or free up resources to respond to more critical services first.

Service provider denial of service strategies

The volume of network traffic that can be achieved by an adversary using a botnet or an amplification-based denial-of-service attack can overwhelm the bandwidth of an organisation's internet connection. Assistance from service providers who have the ability to block network traffic upstream from a targeted service or organisation is essential.

Domain name registrar locking

The use of domain name registrar locking can prevent a denial of service caused by unauthorised deletion or transferal of a domain, or other unauthorised modification of a domain's registration details.

Establishing contact details with service providers

Proper and timely communication is essential in responding to a denial-of-service attack, particularly since normal means of communication such as corporate email or websites may be unavailable or degraded during a denial-of-service attack.

Monitoring with real-time alerting for online services

Organisations should perform automated monitoring of online services with real-time alerting to ensure that a denial-of-service attack is detected and responded to as soon as possible.

Segregation of critical online services

Denial-of-service attacks are typically focused on highly visible online services, such as an organisation’s core website, in order to have a publically noticeable impact. By segregating online services (e.g. having one internet connection for email and internet access and a separate connection for web hosting services) the impact of a denial-of-service attack can be limited to just a targeted service.

Preparing for service continuity

Depending on the nature of a denial-of-service attack, replacing a full featured website with a minimal impact static version can help provide a level of service or information to customers which would otherwise not be possible.

An organisation’s standard full featured website may have higher processing or resource demands due to database integration or the presence of large media files such as high-resolution images or videos. These additional resource requirements may make the website more susceptible to denial-of-service attacks.

Cloud-based hosting of online services

Using a cloud hosting provider can allow an organisation to build highly resilient online services due to the increased computing resources, bandwidth and multiple separate physical sites made available by the cloud provider. Organisations can achieve the same results using their own infrastructure; however, this may require significant upfront costs and may still result in a limited capability to scale dynamically to meet increased demand. In case of a denial-of-service attack, cloud-based hosting can also provide segregation from self-hosted or other cloud hosted services ensuring that other systems, such as email services, are not affected.

Using content delivery networks and denial of service mitigation services

Similar to cloud-based hosting, the use of content delivery networks (CDNs) and denial of service mitigation services can allow an organisation to create highly resilient online services by leveraging the large bandwidth, geographically dispersed hosting locations, traffic scrubbing and other security controls offered by CDN and denial of service mitigation service providers.

The use of CDNs is particularly effective when serving static, bandwidth intensive media such as images, sound or video files. However, the services offered by a CDN can include more than basic content hosting such as web response caching, load balancing, web application security controls or denial of service mitigations.

Care should be taken when configuring the use of a CDN or denial of service mitigation service to ensure that the IP address of the organisation’s web server is not identifiable by an adversary as this could allow for the benefits and protections offered by the service provider to be bypassed. Additionally, appropriate network security controls should be applied to only allow communication between an organisation’s server, the service provider and the authorised management environment.

Purpose of cryptography

The purpose of cryptography is to provide confidentiality, integrity, authentication and non-repudiation of information. Confidentiality protects information by making it unreadable to all but authorised users, integrity protects information from accidental or deliberate manipulation, authentication ensures that a person or entity is who they claim to be, and non-repudiation provides proof that a user performed an action and prevents them from denying that they did so.

Using encryption

Encryption of data at rest can be used to reduce the physical storage and handling requirements for ICT equipment and media while encryption of data in transit can be used to provide protection for sensitive or classified information communicated over public network infrastructure.

When organisations use encryption for data at rest, or data in transit, they are not reducing the sensitivity or classification of information. However, as the information is encrypted, the consequences of the encrypted information being accessed by an adversary is considered to be less. Therefore, physical storage and handling requirements applied to the encrypted information can be reduced. As the sensitivity or classification of the unencrypted information does not change, additional layers of encryption cannot be used to further lower physical and handling requirements.

Additional cryptographic requirements

This document describes the general use of cryptography. The Australian Signals Directorate (ASD) may specify additional requirements in Consumer Guides for cryptographic equipment or encryption software once they have completed an ASD Cryptographic Evaluation (ACE). Such requirements supplement this document and where conflicts occur take precedence.

Federal Information Processing Standard 140

The Federal Information Processing Standard (FIPS) 140 is a United States standard for the validation of both hardware and software cryptographic modules. FIPS 140 is in its second iteration and is formally referred to as FIPS 140-2. This document refers to the standard as FIPS 140, but it applies equally to FIPS 140-1, FIPS 140-2 and FIPS 140-3, which had been released in draft but has since been abandoned.

FIPS 140 is not a substitute for an ACE as it is concerned solely with the cryptographic functionality of a module and does not consider any other security functionality. Where a module’s cryptographic functionality has been validated under FIPS 140, ASD can at its discretion, and in consultation with the vendor, reduce the scope of an ACE.

High assurance cryptographic equipment

High Assurance Cryptographic Equipment (HACE) is used by organisations to protect highly classified information. HACE is designed to lower the physical storage and handling requirements of highly classified information using cryptography. Due to the sensitive nature of HACE, and the limited information publicly available on it, organisations must contact the Australian Cyber Security Centre (ACSC) before using it.

Reducing physical storage and handling requirements

When encryption is applied to information it provides an additional layer of defence. Encryption does not change the sensitivity or classification of the information, but when encryption is used, the physical storage and handling requirements of ICT equipment and media may be reduced.

Encrypting information at rest

Full disk encryption provides a greater level of protection than file-based encryption. While file-based encryption may encrypt individual files, there is the possibility that unencrypted copies of files may be left in temporary locations used by an operating system.

Encrypting particularly important information at rest

Due to the sensitivities associated with Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) information, this information needs to be encrypted when at rest.

Data recovery

The requirement for cryptographic equipment and encryption software to provide a key escrow function, where practical, was issued under a cabinet directive in July 1998.

Handling encrypted ICT equipment and media

When a user authenticates to encryption functionality for ICT equipment or media storing encrypted information, the encrypted information becomes accessible. At such a time, the ICT equipment or media should be handled according to its original sensitivity or classification. Once the user deauthenticates from encryption functionality (e.g. shuts down a device, activates a lock screen) the ICT equipment or media can return to potentially being handled at a lower level.

Reducing network infrastructure requirements

Where insufficient physical security is provided for the protection of information communicated over network infrastructure, encryption can be used to assist in protecting such information from compromise.

Encrypting particularly important information in transit

Due to the sensitivities associated with AUSTEO and AGAO information, it needs to be encrypted when being communicated across network infrastructure.

Evaluated cryptographic implementations

Implementations of the algorithms in this section need to undergo an ACE before they can be approved to protect classified information.

High assurance cryptographic algorithms

High assurance cryptographic algorithms, which are not covered in this section, can be used for the protection of highly classified information if they are suitably implemented in cryptographic equipment that has undergone a High Assurance (HA) evaluation. Further information on high assurance cryptographic algorithms can be obtained by contacting the ACSC.

ASD Approved Cryptographic Algorithms

There is no guarantee of an algorithm’s resistance against currently unknown attacks. However, the algorithms listed in this section have been extensively scrutinised by industry and academic communities in a practical and theoretical setting and have not been found to be susceptible to any feasible attacks. There have been some cases where theoretically impressive vulnerabilities have been found; however, these results are not of practical application.

AACAs fall into three categories: asymmetric/public key algorithms, hashing algorithms and symmetric encryption algorithms.

• Diffie-Hellman (DH) for agreeing on encryption session keys
• Digital Signature Algorithm (DSA) for digital signatures
• Elliptic Curve Diffie-Hellman (ECDH) for key exchange
• Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures
• Rivest-Shamir-Adleman (RSA) for digital signatures and passing encryption session keys or similar keys.

The approved hashing algorithm is Secure Hashing Algorithm 2 (SHA-2) (i.e. SHA-224, SHA-256, SHA-384 and SHA-512).

The approved symmetric encryption algorithms are Advanced Encryption Standard (AES) using key lengths of 128, 192 and 256 bits, and Triple Data Encryption Standard (3DES) using three distinct keys.

Where there is a range of key sizes for an algorithm, some of the smaller key sizes are not approved as they do not provide an adequate safety margin against possible future attacks. For example, advances in integer factorisation methods could render smaller RSA moduli vulnerable.

Using ASD Approved Cryptographic Algorithms

If cryptographic equipment or software implements unapproved algorithms as well as AACAs, it is possible that these unapproved algorithms could be configured without a user’s knowledge. In combination with an assumed level of security confidence, this can represent a security risk.

When configuring cryptographic equipment or software that implement an AACA, organisations can ensure that only the AACA can be used by disabling the unapproved algorithms (which is preferred) or advising users not to use the unapproved algorithms via usage policies.

Approved asymmetric/public key algorithms

Over the last decade, DSA and DH cryptosystems have been subject to increasingly successful sub-exponential index-calculus-based attacks. ECDH and ECDSA offer more security per bit increase in key size than DH or DSA and are considered more secure alternatives.

Using Diffie-Hellman

A modulus of at least 2048 bits for DH is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for DH is considered cryptographically weak.

Using the Digital Signature Algorithm

A modulus of at least 2048 bits for DSA is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for DSA is considered cryptographically weak.

Using Elliptic Curve Cryptography

The curve used within an elliptic curve algorithm can affect the security of the algorithm. Only approved curves should be used.

Using Elliptic Curve Diffie-Hellman

A field/key size of at least 256 bits for ECDH is considered best practice by the cryptographic community. A field/key size smaller than 160 bits for ECDH is considered cryptographically weak.

Using the Elliptic Curve Digital Signature Algorithm

A field/key size of at least 256 bits for ECDSA is considered best practice by the cryptographic community. A field/key size smaller than 160 bits for ECDSA is considered cryptographically weak.

Using Rivest-Shamir-Adleman

A modulus of at least 2048 bits for RSA is considered best practice by the cryptographic community. A modulus smaller than 1024 bits for RSA is considered cryptographically weak.

Approved hashing algorithms

Research conducted by the cryptographic community has shown Secure Hashing Algorithm 1 (SHA-1) is susceptible to collision attacks. In 2017, researchers demonstrated a SHA-1 collision with Portable Document Format files. A hashing algorithm from the SHA-2 family should be used instead of SHA-1.

Approved symmetric encryption algorithms

The use of Electronic Codebook Mode with block ciphers allows repeated patterns in plaintext to appear as repeated patterns in ciphertext. Most plaintext, including written language and formatted files, contains significant repeated patterns. As such, an adversary can use this to deduce possible meanings of ciphertext. The use of other modes such as Galois/Counter Mode, Cipher Block Chaining, Cipher Feedback or Output Feedback can prevent such attacks, although each has different properties which can make them inappropriate for certain use cases.

Using the Triple Data Encryption Standard

Using three distinct keys for 3DES is deemed the only secure option for practical purposes. All other keying options are susceptible to attacks that reduce the security of 3DES and are therefore not deemed secure. Where practical, organisations should use an approved implementation of AES, instead of 3DES.

Protecting highly classified information

ASD has approved the following cryptographic algorithms for the protection of highly classified information when used in an evaluated implementation. Recommended algorithms and key sizes should be given preference where possible for interoperability with the Commercial National Security Algorithm (CNSA) Suite.

Evaluated cryptographic implementations

Implementations of the protocols in this section need to undergo an ACE before they can be approved to protect classified information.

High assurance cryptographic protocols

Protocols for HACE, which are not covered in this section, can be used for the protection of highly classified information if they are suitably implemented in cryptographic equipment that has undergone a HA evaluation. Further information on high assurance cryptographic protocols can be obtained by contacting the ACSC.

ASD Approved Cryptographic Protocols

In general, ASD only approves the use of cryptographic equipment and software that has passed a formal evaluation. However, ASD approves the use of some cryptographic protocols even though their implementations in specific cryptographic equipment or software has not been formally evaluated by ASD. This approval is limited to cases where they are used in accordance with this document.

• Transport Layer Security (TLS)
• Secure Shell (SSH)
• Secure/Multipurpose Internet Mail Extension (S/MIME)
• OpenPGP Message Format
• Internet Protocol Security (IPsec)
• Wi-Fi Protected Access 2 (WPA2).

Using ASD Approved Cryptographic Protocols

If cryptographic equipment or software implements unapproved protocols, as well as AACPs, it is possible that relatively weak protocols could be configured without a user’s knowledge. In combination with an assumed level of security confidence, this represents a security risk.

When configuring cryptographic equipment or software that implements an AACP, organisations can ensure that only AACPs can be used by disabling unapproved protocols (which is preferred) or advising users not to use unapproved protocols via usage policies.

While many AACPs support authentication, organisations should be aware that these authentication mechanisms are not foolproof. To be effective, these mechanisms should also be securely implemented and protected. This can be achieved by providing appropriate private key protection, ensuring the correct management of certificate authentication processes, including certificate revocation checking, and using a legitimate identity registration scheme.

Definitions

The terms Secure Sockets Layer (SSL) and TLS have traditionally been used interchangeably. However, as SSL 3.0 is no longer an AACP, instances of ‘SSL’ refer to SSL version 3.0 and below while ‘TLS’ refers to TLS 1.0 and beyond.

Using Transport Layer Security

The latest version of TLS is version 1.3, which was released in August 2018.

When using ICT equipment or software that implements TLS, security controls for using AACPs also need to be consulted in the ASD Approved Cryptographic Protocols section of these guidelines.

Perfect Forward Secrecy

Using Perfect Forward Secrecy (PFS) reduces the impact of the compromise of a TLS session.

Using Secure Shell

When using ICT equipment or software that implements SSH, security controls for using AACPs also need to be consulted in the ASD Approved Cryptographic Protocols section of these guidelines.

Configuring Secure Shell

SSH version 1 was found to have a number of security vulnerabilities. As such, it was replaced by SSH version 2. A number of security risks also exist when SSH is configured in an insecure manner. For example, forwarding connections and access privileges, using host-based authentication, and permitting system administrator logins. The configuration settings below are based on OpenSSH. Organisations using other implementations of SSH should adapt these settings to suit their SSH implementation.

Authentication mechanisms

Public key-based authentication schemes offer stronger authentication than passphrase-based authentication schemes due to passphrases being more susceptible to guessing attacks. Therefore, if passphrases are used, counter-measures should be put in place to reduce the chance of a successful brute force attack.

Automated remote access

• if access from unknown Internet Protocol (IP) addresses is not restricted, an adversary could automatically authenticate to systems without needing to know any passphrases
• if port forwarding is not disabled, or it is not configured securely, access may be gained to forwarded ports thereby creating a communication channel between an adversary and a host
• if agent credential forwarding is enabled, an adversary could connect to the stored authentication credentials and use them to connect to other trusted hosts, or even intranet hosts if port forwarding has been allowed as well
• if X11 display remoting is not disabled, an adversary could gain control of displays as well as keyboard and mouse control functions
• if console access is allowed, every user who logs into the console could run programs that are normally restricted to authenticated users.

To assist in mitigating these security risks, it is essential that the 'forced command' option is used to specify what command is executed and parameter checked is enabled.

SSH-agent

SSH-agent or other similar key caching programs hold and manage private keys stored on workstations and respond to requests from remote systems to verify these keys. When an SSH-agent launches, it requests the user’s passphrase to unlock the user’s private key. Subsequent access to remote systems is performed by the agent and does not require the user to re-enter their passphrase. Screen locks and expiring key caches ensure that the user’s private key is not left unlocked for a long period of time. Furthermore, to limit the exposure of credentials, agent credential forwarding should only be enabled when SSH traversal is required.

Using Secure/Multipurpose Internet Mail Extension

S/MIME 2.0 required the use of weaker cryptography (40-bit keys) than is approved for use in this document. Version 3.0 was the first version to become an IETF standard.

Organisations choosing to implement S/MIME should be aware of the inability of many content filters to inspect encrypted messages and attachments for inappropriate content, and for server-based antivirus software to scan for viruses and other malicious code.

When using ICT equipment or software that implements S/MIME, security controls for using AACPs also need to be consulted in the ASD Approved Cryptographic Protocols section of these guidelines.

Using Internet Protocol Security

When using ICT equipment or software that implements IPsec, security controls for using AACPs also need to be consulted in the ASD Approved Cryptographic Protocols section of these guidelines.

Internet Security Association Key Management Protocol authentication

Most IPsec implementations handle a number of methods for authentication as part of Internet Security Association Key Management Protocol (ISAKMP). These can include digital certificates, encrypted nonces or pre-shared keys. These methods are all considered suitable for use.

Mode of operation

IPsec can be operated in transport mode or tunnel mode. The tunnel mode of operation provides full encapsulation of IP packets while the transport mode of operation only encapsulates the payload of the IP packet.

Protocol selection

IPsec contains two major protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP). In order to provide a secure Virtual Private Network style connection, both authentication and encryption are needed. AH and ESP can provide authentication for the entire IP packet and the payload respectively. However, ESP is generally preferred for authentication since AH by its nature has network address translation limitations. However, if maximum security is desired at the expense of network address translation functionality, then ESP can be wrapped inside of AH, which will then authenticate the entire IP packet and not just the encrypted payload.

Key exchange

There are several methods for establishing shared keying material for an IPsec connection, including manual keying and Internet Key Exchange (IKE) version 1 and 2. IKE addresses a number of security risks associated with manual keying, and for this reason is the preferred method for key establishment.

Internet Security Association Key Management Protocol modes

ISAKMP main mode provides greater security than aggressive mode since all exchanges are protected.

Security association lifetimes

Using a secure association lifetime of four hours, or 14400 seconds, provides a balance between security and usability.

Hashed Message Authentication Code algorithms

The approved Hashed Message Authentication Code (HMAC) algorithms are HMAC-SHA256, HMAC-SHA384 or HMAC-SHA512.

Diffie-Hellman groups

Using a larger DH group provides more security for the key exchange. The minimum modulus size needed is specified in the ASD Approved Cryptographic Algorithms section of these guidelines.

Perfect Forward Secrecy

Using PFS reduces the impact of the compromise of a security association.

Internet Key Exchange Extended Authentication

XAuth using IKE version 1 has documented vulnerabilities associated with its use.

Cryptographic systems

Cryptographic systems are comprised of cryptographic equipment and keying material. In general, security controls specified for systems in this document apply equally to cryptographic systems. However, where security controls for cryptographic systems are different, the variations are contained in this section and overrule security controls specified elsewhere in this document.

Commercial grade cryptographic equipment

Transporting Commercial Grade Cryptographic Equipment (CGCE) in a keyed state may expose the keying material in it to potential compromise. Therefore, if CGCE is transported in a keyed state it should be done based on the sensitivity or classification of the keying material in it.

If CGCE or associated keying material is compromised or suspected of being compromised (e.g. stolen, lost, copied or communicated over the Internet) then the confidentiality and integrity of previous and future communications may also be compromised.

High Assurance Cryptographic Equipment

HACE can be used by organisations to protect highly classified information. ACSI 53 E, ACSI 103 A, ACSI 105 B, ACSI 107 B, ACSI 173 A and equipment-specific doctrine outline the requirements that need to be complied with for the use of HACE.

Storing cryptographic equipment

As cryptographic equipment can protect sensitive or classified information, additional physical security controls should be applied to its storage.

Purpose of gateways

Gateways act as information flow control mechanisms at the network layer and may also control information at the higher layers of the Open System Interconnect (OSI) model.

Deploying gateways

This section describes the security controls applicable to all gateways.

• For connections between different security domains, where at least one system is SECRET or higher, see the Cross Domain Solutions section of these guidelines.
• For devices used to control data flow in bi-directional gateways, see the firewalls section of these guidelines.
• For all gateways, see the Guidelines for Data Transfers and Content Filtering.

Applying the security controls

In all cases, gateways assumes the highest sensitivity or classification of the connected security domains.

Gateway architecture and configuration

Gateways are necessary to control data flows between security domains and prevent unauthorised access from external networks. Given the criticality of gateways in controlling the flow of information between security domains, any failure, particularly at higher classifications, may have serious consequences. As such, robust mechanisms for alerting personnel to situations that may cause cyber security incidents are especially important for gateways.

Gateway operation

Implementing logging and alerting capabilities for gateways can assist in detecting cyber security incidents, attempted intrusions and unusual usage patterns. In addition, storing event logs on a separate secure log server increases the difficulty for an adversary to delete logging information in order to destroy evidence of a targeted cyber intrusion.

Demilitarised zones

Demilitarised zones are used to prevent direct access to information and services on internal networks. Organisations that require certain information and services to be accessed from the Internet can place them in the less trusted demilitarised zone instead of on internal networks.

Gateway security risk assessment

Performing a security risk assessment on the gateway architecture and the proposed configuration before implementation allows for the early identification and mitigation of security risks to the gateway environment and connected systems. In addition, gateways can connect networks in different security domains, including across administrative and organisational boundaries. By understanding and formally accepting security risks from all other networks before gateways are implemented, system owners can make informed decisions about changes to their gateway environment.

Gateway configuration control

Changes that could introduce security vulnerabilities or change security risks in a gateway should be appropriately considered and documented before being implemented.

Gateway testing

Testing security controls on gateways assists with understanding its security posture by determining the effectiveness of security controls. An adversary may be aware of regular testing activities. Therefore, performing testing at irregular intervals will reduce the likelihood that an adversary could exploit regular testing activities.

Gateway administration

Administrator privileges should be minimised and roles should be separated (e.g. separate network administration and security policy configuration roles) to minimise security risks posed by a malicious user with privileged access to a gateway.

Providing system administrators with formal training will ensure they are fully aware of, and accept, their roles and responsibilities regarding the management of gateways. Formal training could be through commercial providers, or simply through Standard Operating Procedures or reference documents bound by a formal agreement.

The system owner of the highest security domain of connected security domains is responsible for protecting the most sensitive information, and as such is best placed to manage any shared components of gateways. However, in cases where multiple security domains from different organisations are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected organisations.

Shared ownership of gateways

As changes to a security domain connected to a gateway potentially affects the security posture of other connected security domains, system owners should formally agree to be active information stakeholders in other security domains to which they are connected via a gateway.

Gateway authentication

Ensuring users and services are authenticated by gateways can reduce the likelihood of unauthorised access and provides an auditing capability to support the investigation of cyber security incidents.

ICT equipment authentication

Authenticating ICT equipment to networks accessed through gateways assists in preventing unauthorised ICT equipment connecting to a network. For example, by using 802.1X.

Purpose of Cross Domain Solutions

Cross Domain Solutions (CDS) provide robust information flow control mechanisms at each layer of the OSI model in gateway environments where high levels of assurance are required. This section extends the preceding gateways section.

Introduction to Cross Domain Solutions

This section describes the security controls applicable to CDS. CDS systems should apply controls from both the gateways and Cross Domain Solutions sections. Furthermore, the Guidelines for Data Transfers and Content Filtering also applies to all gateways and CDS. Finally, additional sections of this document should be consulted depending on the specific type of CDS deployed.

CDS are systems comprising security-enforcing functions tailored to mitigate the specific security risks of accessing or transferring information between security domains. A CDS may be an integrated appliance or, more commonly, be composed of discrete technologies or sub-systems, with each sub-system consisting of hardware and/or software components.

Personnel involved in the planning, analysis, design, implementation or assessment of CDS should refer to the Australian Cyber Security Centre (ACSC)’s Introduction to Cross Domain Solutions and Guide to the Secure Configuration of Cross Domain Solutions publications.

Types of Cross Domain Solutions

This document defines two logical types of CDS: Transfer CDS and Access CDS. These logical definitions are more closely aligned with how CDS are described and sold by vendors and system integrators. Vendors may also offer a combined Access and Transfer solution.

Regardless of logical configuration, the underlying mechanisms in each CDS will consist of a low to high data transfer path, a high to low data transfer path, or both. Data filtering and other security controls are then applied to mitigate threats applicable to the system’s operating context, including specific data paths and business cases.

A Transfer CDS facilitates the transfer of information, in one (unidirectional) or multiple (bi-directional) directions between different security domains.

An Access CDS provides the user with access to multiple security domains from a single device. Conceptually, an Access CDS allows remote interaction with one or multiple systems in a different security domain, such as a ‘virtual desktop’, and does not allow users to move data between security domains.

Applying the security controls

In all cases the gateway or CDS assumes the highest sensitivity or classification of the connected security domains.

Requirements to use Cross Domain Solutions

There are significant security risks associated with connecting highly classified systems to the Internet or to a lower classified system. An adversary having control of, or access to, a gateway or CDS can invoke a serious security risk.

Consultation when implementing or modifying Cross Domain Solutions

CDS environments can be complex to deploy and manage securely, as such, the likelihood of a network compromise is increased. Secure CDS implementations ensure that the security policy of each security domain involved is upheld in a robust manner across all physical and logical layers of the connection between domains.

Separation of data flows

CDS connecting highly classified systems to other potentially internet-connected systems should implement robust security enforcing functions, including content filtering and isolated paths, to ensure data flows are appropriately controlled.

Event logging

In addition to the security controls listed in the event logging and auditing section of the Guidelines for System Monitoring, CDS should have comprehensive logging capabilities to establish accountability for all actions performed by users. Effective logging practices can increase the likelihood that unauthorised behaviour will be detected.

Due to the criticality of data import and export functions provided by CDS, organisations should regularly assess the performance of CDS data transfer policies against the security policies the CDS has been deployed to enforce.

User training

It is important that users know how to use a CDS securely. This can be achieved via training before access is granted, and reinforced by logon banners and awareness messages.

Using firewalls

Where an organisation connects to another organisation, both organisations should implement a firewall in their gateway environment to protect themselves from intrusions that originate outside of their environment. This requirement may not be necessary in the specific cases where shared network infrastructure is used only as a transport medium and link encryption is used.

Firewalls for particularly important networks

As AUSTEO and AGAO networks are particularly important, additional assurances should be put in place when connecting such networks to other networks.

Using diodes

A diode enforces one-way flow of network traffic thus requiring separate paths for incoming and outgoing data. This makes it much more difficult for an adversary to use the same path to both launch a targeted cyber intrusion and exfiltrate information afterwards.

Diodes for particularly important networks

While diodes between networks at the same classification are generally not needed, AUSTEO and AGAO networks require additional assurances to be put in place when connecting such networks to other networks.

Volume checking

Monitoring the volume of data being transferred across a diode ensures that it conforms to expectations. It can also alert an organisation to potential malicious activity if the volume of data suddenly changes from the norm.

Web usage policy

If organisations allow users to access the Web they should define the extent of access that is granted. This can be achieved through a web usage policy and education of users.

Web proxies

Web proxies are a key component in detecting and responding to cyber security incidents. Thorough web proxy logs are also valuable in responding to user violation of web usage policies.

Transport Layer Security filtering

Since Transport Layer Security (TLS) web traffic travelling over Hypertext Transfer Protocol Secure connections can deliver content without any filtering, organisations can reduce this security risk by using TLS inspection. In doing so, organisations may choose to allow websites that have a low risk of delivering malicious code and have a high privacy requirement, such as internet banking websites, to continue using end-to-end TLS encryption.

Inspection of Transport Layer Security traffic

As encrypted TLS traffic may contain personally identifiable information, organisations are recommended to seek legal advice on whether inspecting such traffic could be in breach of the Privacy Act 1988.

Whitelisting websites

Defining a whitelist of permitted websites and blocking all unlisted websites effectively removes one of the most common data delivery and exfiltration techniques used by an adversary. However, if users have a legitimate requirement to access numerous websites, or a rapidly changing list of websites, organisations should consider the costs of such an implementation.

Even a relatively permissive whitelist offers better security than relying on blacklists, or no restrictions at all, while still reducing implementation costs. An example of a permissive whitelist could be whitelisting the entire Australian subdomain, that is ‘*.au’, or whitelisting the top 1,000 sites from the Alexa site ranking (after filtering Dynamic Domain Name System domains and other inappropriate domains).

Categorising websites

Websites can be grouped into categories and prohibited categories can be blocked via a web content filter.

Blacklisting websites

Blacklists are collections of websites that have been deemed to be inappropriate due to their content or hosting of malicious content.

Targeted cyber intrusions commonly use dynamic or other domains where domain names can be registered anonymously for free due to their lack of attribution.

Web content filter

An effective web content filter greatly reduces the likelihood of malicious code infection or other inappropriate content from being accessed by users. Web content filters can also disrupt or prevent an adversary from communicating with their malicious code if deployed on an organisation’s network.

Some forms of content filtering performed by web content filters are the same as those performed by email or other content filters while other types of content filtering are specific to web-based content.

Using peripheral switches

When accessing different systems through a peripheral switch, it is important that sufficient assurance is held in the operation of the switch to ensure that information does not pass between different security domains. As such, the level of assurance needed in a peripheral switch is determined by the difference in sensitivity or classification of systems connected to the switch.

There is no requirement for an evaluated peripheral switch when all connected systems belong to the same security domain.

Peripheral switches for particularly important systems

As AUSTEO and AGAO systems are particularly important, additional assurances should be put in place when such systems share a peripheral switch with other systems.

Data transfer process and procedures

Ensuring that a data transfer process, and supporting data transfer procedures, is adhered to will facilitate the consistent application of data transfer-related security controls and the generation of necessary audit records.

User responsibilities

When users transfer data to or from a system, they should understand the potential consequences of their actions. This could include spills of data onto systems not authorised to handle the data, or the unintended introduction of malicious code to a system. Accordingly, users should be held accountable for all data transfers that they make.

Trusted sources

Trusted sources are responsible for authorising data exports based on a formal assessment. Trusted sources include an organisation’s Chief Information Security Officer (CISO) and their delegates.

Data transfer approval

Users can prevent cyber security incidents by checking protective markings to ensure that the destination system is appropriate for the data being transferred, performing antivirus scanning on data to be transferred, and following all other procedures as part of the data transfer process.

Import of data

Scanning imported data for malicious and active content reduces the likelihood of a system being infected with malicious code.

Export of data

When data is exported between systems, the classification should be assessed to determine if the export is permitted. Thorough inspection, including protective marking checks, can reduce the likelihood of data being transferred to a system that is not authorised to handle it or into the public domain.

Preventing export of particularly important data to foreign systems

In order to reduce the likelihood of spilling Australian Eyes Only (AUSTEO) and Australian Government Access Only (AGAO) data onto foreign systems, it is important that a process, and supporting procedures, is developed to detect AUSTEO and AGAO data and to prevent it from crossing into foreign systems.

Monitoring data import and export

It is important to monitor data import and export processes to ensure the confidentiality and integrity of systems and data. This applies to all import and export mechanisms including those which are performed using Cross Domain Solutions (CDS), gateways and removable media.

Content filtering techniques

Content filters reduce the likelihood of unauthorised or malicious content transiting a security domain boundary by assessing data based on defined security policies. The following techniques can assist with assessing the suitability of data to transit a security domain boundary.

Content filtering

Implementing an effective content filter which cannot be bypassed reduces the likelihood of malicious content successfully passing into a security domain. Content filtering is only effective when suitable components are selected and appropriately configured with consideration of an organisation’s business processes and threat environment.

When content filters are protecting classified environments as a component of a CDS, their assurance requirements necessitate rigorous security testing.

Active, malicious and suspicious content

Many files are executable and are potentially harmful if executed by a user. Many file type specifications allow active content to be embedded in the file, which increases the attack surface. The definition of suspicious content will depend on the system’s security risk profile and what is considered to be normal system behaviour.

Automated dynamic analysis

Analysing email and web content in a sandbox is a highly effective strategy to detect suspicious behaviour including network traffic, new or modified files, or other configuration changes.

Content validation