Successive audits at both state and federal level indicate there are plenty of public sector organisations that are yet to pick all the low-hanging fruit of cybersecurity. When they do, it needs to be more than a box-ticking exercise.
Most recently, the Australian National Audit Office looked at four entities and found two — one being the Australian Federal Police — still were not fully compliant with the “top four mitigation strategies” in the Australian Signals Directorate’s Information Security Manual.
The recent audit was conducted because ANAO previously found seven agencies were going to miss the deadline when the “top four” became mandatory at the end of June, 2014. The latest report, released last week, notes it is likely the new recommendations apply to other Commonwealth entities as well.
Applying a framework like the ISM is important as a minimum standard, but should only be seen as a starting point, according to Rear Admiral (retired) Mike Brown, the vice-president and general manager of information security firm RSA’s global public sector arm.
“It’s important to ensure that it’s not addressed or used as a rote compliance model, a checklist or a regulation,” said Brown, a former director of cybersecurity co-ordination at the United States Department of Homeland Security who spoke at the Australian Cyber Security Centre conference.
ASD expects the top four — application whitelisting, patching applications, patching operating systems and minimising administrative privileges — to prevent at least 85% of “targeted intrusions”. To make the most of the ISM’s full “top 35” mitigation strategies and various advice aimed at staff of different levels, Brown said, it needed to be adapted to the specific needs of each agency.
Three lessons from an infosec veteran
Having been involved in the evolution of public sector cybersecurity for many years in a range of senior roles with the US navy, in the centre of government, and with RSA’s public sector clients from 2012, Brown has distilled three key lessons.
“I think the first thing is you need to really understand what’s important — what’s the mission of those agencies,” he told The Mandarin. “It’s not the responsibility of just the security organisation, it really is the synchronisation that needs to occur between the mission owners and across the [cybersecurity] space.”
Despite his naval background, Brown says it is time to “move away” from traditional strategies like defence-in-depth which involve a perimeter or “castle-walls mentality” with layers of security keeping what’s inside safe from what’s outside.
Start instead by taking stock of everything and assessing what is most critical to the organisation’s mission and therefore the highest priority, working backwards to enable rapid and effective risk assessment, he advises.
“Dedicate your resources that you have and design your strategy around that, and recognise that you will not be able to prevent the adversary from being successful in piercing the wall,” Brown said.
Second, he believes ignorance of the capability that exists in the private sector and how best to make use of it is a common theme in public sector organisations.
“It’s not just about the contracting actions and the tools and so on that are purchased and acquired by the agencies and departments,” said Brown. “You really need to understand that there’s great capability out there, and how to use it effectively in your own strategy.”
“Third is people,” he added. A large part of hardening organisations large and small, regardless of their own internal cybersecurity capability, involves training and education to all staff, tailored to their specific roles and level of responsibility.
This was noted by AUSTRAC, the agency that was far and away the most “cyber resilient” of the four recently scrutinised by the auditor-general, in its response to last week’s audit:
“AUSTRAC acknowledges the ongoing effort by all staff in contributing to an organisational culture of resilience and high performance that is fundamental in delivering our outcomes. The audit findings also reflect the long term commitment of our ICT teams to securing our systems.”
Brown acknowledges another major piece in the cybersecurity puzzle is a skills shortage that means expertise is expensive and hard to come by. In Australia at least, the federal authorities struggle to retain the most valuable staff after investing in their training.
But, answering a question from the audience, the former Homeland Security executive inadvertently advertised one unique attraction of cybersecurity careers in the public sector, which was also recently acknowledged by Prime Minister Malcolm Turnbull:
“If you really want to do offensive operations — and I have had the pleasure of doing that — I recommend public service.”
You can’t keep all the threats outside the wall but it is realistic to “prevent the adversary from being successful in what they were trying to do” in most cases, according to Brown.
The aim is to get into a position to be proactive or even “predictive” in countering threats. “Organisations may even talk the talk but when it comes time for execution, they revert back to this perimeter, castle-walls mentality and strategy,” the retired Rear Admiral said in his conference appearance.
Instead, he believes there is a need to “know where technology’s going, know where the threat actors are going, and to be able to be out in front” to prevent more advanced attacks with complex motives.
Only a brief decade ago, he told The Mandarin, the cybersecurity professionals he worked with in the US government were “thrilled” to be putting “reactive” capabilities in place. “That is, maybe after the second, third or fourth time having been hit on the same threat vector, with the same tactic, technique or procedure, or the same malware, we finally were able to react and prevent it from being successful again,” he explained.
“Where we’re really trying to get to now is proactive — where we have the ability to prevent that adversary from being successful in his mission — not just being able to get into the infrastructure, but to do something like steal, or financial fraud.
“Threat actors are moving from disruption and destruction to deception, moving to change and manipulate data, and that’s a significant threat.”
Hard lessons were learned from the massive data breach that affected the US Office of Personnel Management, compromising a vast a trove of personal data about millions of current and former government employees.
“The first lesson is: it’s a legitimate target,” Brown said of the OPM’s files. “There was an enormous amount of information — my information actually was stolen, as was my wife’s — and from a nation-state perspective, that made it a legitimate target.
“A database like that holds lots of relevant information for the nation-state actor. Therefore we should have understood that, understood the risk, and taken appropriate action to defend against that risk.”
Brown says the OPM breach also highlights why more advanced, proactive cybersecurity measures are needed. He points out that Homeland Security’s EINSTEIN system — which was criticised and discussed in the wake of the OPM breach — is an example of the earlier generation of “reactive” technology, based on known threats.
“That’s part of the reason why DHS put the Continuous Diagnostic and Mitigation program in there; you need all of these capabilities to be integrated and that’s part of what I think is the new strategy, the new world order,” he said.
The newer CDM program is based on short monitoring cycles with a risk-based approach to triage issues and fix the worst problems first.
“We must move away from our single focus on prevention and move towards a robust operational capability which incorporates a risk management posture,” Brown told the conference.
“With this approach comes a greater balance across monitoring, detecting and response and resilience capability.
“We need to accept the high probability almost a certainty that an adversary will breach our defence and look at the adversary’s dwell time, and minimise or mitigate its effects through faster detection, and more accurate incident scoping, processing and adjudication.”
He told the ACSC delegates that “what keeps him up at night” is the potential for zero-day attacks — those that have never been seen before — with complex motives involving deception and disruption:
“I think about what we haven’t discovered yet. I think about the adversary, known or unknown, who had moved to truly compromising the integrity of the data or the information resident in that organisation, where the adversary has altered, deleted or inserted data into those systems.”