A recent report from the Australian Cyber Security Centre (ACSC), titled the ‘ACSC Threat Report 2017, offers a snapshot of the state of cyber security across Australia. The ACSC report paints a picture of growing and evolving cybersecurity threats targeting Australian private and public sector organisations. Based on the findings, it can be concluded that there is a clear need for organisations to ensure they are maintaining their “cyber hygiene”. A bit like the need to brush your teeth to ensure basic health and cleanliness, there are certain security polices and protocols that must be done to keep rudimentary security posture.
Evaluating the security landscape
According to the ACSC report, the vast majority of reported cyber incidents affecting Australian private businesses were criminally motivated, typically for financial gain. Most incidents in the private sector were in the banking and financial services, communications, energy, government, information technology, and retail industries. However, the “non-traditional sectors” such as, accommodation, automotive and hospitality reported the highest number of incident reports, reveals ACSC. This growth of incidents reflects the expanded scope of targets for cybercriminals and adversaries.
Meanwhile, the Australian Signals Directorate (ASD) responded to 671 cyber security incidents (between 1 July 2016 and 30 June 2017) that were considered serious enough to warrant operational responses. As cyber security awareness has increased and government organisations have improved their ability to respond to lower level cyber security incidents on their own, the number of incidents requiring an operational response has decreased.
While the ACSC has observed fewer major compromises of Australian government networks, this doesn’t necessarily represent a reduction in targeting. Government networks were regularly targeted by cybercriminals, issue-motivated groups and individuals and state-sponsored adversaries. As government defences gradually improve, cyber adversaries will increasingly look to identify softer targets to gain access to government information and networks. The recent hacking of an Adelaide defense industry contractor in which commercial details of military aircrafts were stolen clearly demonstrates this.
by exploiting a 12-month-old vulnerability in the company’s IT helpdesk portal. The ASD also found the contractor had not changed its default passwords on its internet facing services. The admin password, to enter the company’s web portal, was ‘admin’ and the guest password was ‘guest’. Having just one person being responsible for the IT of the 50 employee-sized company also didn’t help the situation.
Starting with the hygiene basics
In cyber security, like in the above case with the defense contractor, few if any enterprises have enough experts or technologies in place to approach security via an offensive approach. Instead, savvy enterprises deploy solutions and processes that help to minimise the attack surface accessible to hackers, quickly identify and disable or minimise threats, and ultimately remediate those that succeed.
The ASD has for years promoted a set of basic steps that enterprises can take to improve their cyber security, ensure standard cover and stay “clean”. In its current incarnation, that set of steps is known as the “Essential 8.” Implementing the ASD Essential 8 effectively helps organisations achieve a baseline cybersecurity posture – a level that would have prevented the success of recent ransomware attacks such as WannaCry and NotPetya. While this might sound straightforward, many companies still struggle to achieve this level of security today.
The eight recommendations are divided into two groups. Four intend to prevent malware from running. Four intend to limit the extent of incidents and recover data.
Prevent malware from running
Limit the extent of incidents / recover data
Restrict administrative privileges
Patch operating systems
Disable untrusted Microsoft macros
User application hardening
Daily backup of important data
The Essential 8 are descended from a previous set of ASD recommendations known as the “Top 4.” An ASD study found that implementing those four recommendations – application whitelisting, application and operating system patching and administrative privilege restriction – could mitigate 85 percent or more of cybersecurity threats. The Top 4 and Essential 8 also align with recommendations from other respected experts, including the U.S. Center for Internet Security (CIS) and the UK National Cyber Security Centre (NCSC).
Solutions and processes that implement the ASD Essential 8 can improve cybersecurity, user productivity and operational agility at any enterprise by providing a foundation for effective, multi-layered defense. When combined with user engagement and education and frequently tested backups of critical information, those solutions and processes can enable any enterprise to withstand and respond effectively to the threats identified by the ACSC and others, today and tomorrow, in Australia or anyplace else in the world.