The Australian Cyber Security Centre (ACSC) was established in November 2014 to bring cyber security capabilities from across government together in one location. It acts as a hub where the private and public sectors can collaborate and share information to combat serious cyber security threats. The ACSC released its first ever unclassified cyber security threat report on 29 July 2015 (Threat Report). The Threat Report demonstrates that the cyber threat to Australian organisations is undeniable, unrelenting and continuing to grow. For those who live and breathe cyber security, such as the Australian Signals Directorate’s (ASD’s) head of Cyber and Information Security, Major General Stephen Day, the Threat Report may have contained “few surprises”. However, the Threat Report is a useful starting point, as well as a useful practical guide for “those who just don’t get it – yet.”
This article canvasses the major topics covered by the Threat Report, focusing on what Australian businesses need to be doing to ensure they are resilient against cyber threats. The full Threat Report is available here.
Current cyber threats
The Threat Report identifies four major threats currently impacting ICT networks in Australia, being:
- the Heartbleed bug, which at one time compromised 17% of the world’s Internet servers;
- the Bash/Shellshock bug;
- the end of support for Windows XP and MS Office 2003; and
- the Microsoft Active Directory Group Policy Preferences vulnerability.
Whilst each of these threats originally occurred (or were publicised) in 2014, their harmful effects continue to linger in our networks.
For example in April 2015, 12 months after Heartbleed was first publicised, it was revealed that 84% of Australian businesses had yet to fully remediate their vulnerability to the bug, leaving sensitive information such as usernames and passwords at risk. Similarly, the Bash/Shellshock bug, which allows adversaries to remotely execute arbitrary code, potentially permitting full system control of UNIX-based platforms (including Apple Mac) lingers on common devices. Although patches for this vulnerability are available for download, it may still be present in third party applications and programs that are embedded in the systems. Vendors must first upgrade the firmware of their appliances and programs for the system to be fully patched.
At a minimum, you should check that your cybersecurity team (you do have one, don’t you?) has installed the relevant patches to end susceptibility to these major threats.
More generally, however, in light of this report, you should be taking steps to satisfy yourself that your organisation has taken adequate and appropriate steps, particularly at a governance level, to be cyber-secure and cyber-resilient. .
King & Wood Mallesons has developed its “7 Pillars of Cyber Security” methodology as a framework to assist organisations in becoming resilient against the myriad of cyber threats faced by Australian businesses. Please contact us if you would like further information on the methodology.
The Australian threat environment
The Threat Report paints a picture of the cyber threat environment in Australia, outlining the major players, and the types of threats that can potentially affect us, being cyber espionage, cyber attack, cybercrime and disruption.
Cyber espionage in particular poses a serious threat to Australian businesses. Cyber espionage is defined as “offensive activity designed to covertly collect information from a user’s computer network for intelligence purposes”. Australian government and industry is an attractive target for such activity by foreign adversaries due to our:
- resource wealth;
- economic prosperity;
- range of commercial interests in-country and internationally;
- expertise in certain fields of scientific research, manufacturing and technology; and
- prominent role in the Asia-Pacific region.
The ACSC specifically notes its awareness that cyber espionage adversaries target industry networks in addition to government networks to acquire desired information. Australian businesses are increasingly being identified as targets of cyber espionage. The theft of intellectual property or commercially sensitive information can:
- seriously impair reputations, profitability and ability to compete in the global economy;
- limit business opportunities and reduce a company’s economic competitiveness; and
- undermine a company’s business model and viability.
An important learning point is that cyber adversaries will target the weakest link; if the network security of their primary target is robust, they will move to secondary targeting of other networks that may hold the same information but are easier to compromise. This means that companies need to take an interest in the security arrangements of their key contractors and service providers in addition to their own.
The Computer Emergency Response Team (CERT) Australia is predominantly responsible for responding to cyber security incidents involving Australian businesses. The graph below shows the top five non-government sectors assisted by CERT Australia in relation to cyber security incidents in 2014:
Click here to view chart.
Some sectors have not yet invested heavily in cyber security, and therefore may not understand the level of risk or potential economic harm to their business. Furthermore, some companies may be hesitant to report incidents due to the perceived harm to their reputation.
The ACSC is working to forge stronger relationships with Australian businesses to better assess cyber security practices and support improved cyber security.
Activity targeting Australian networks
The second part of the Report outlines the main types of cyber activity used to target Australian networks. These include:
- cyber intrusion (also known as “hacking”) (where someone gains access to a computer or device without permission);
- remote access tools (RATs) (these allow someone to access a computer from a remote location);
- malware (MALicious softWARE designed to facilitate unauthorised access to a system, or cause damage or disruption to a system). Previously considered a niche capability, malware used for cybercrime is now readily available through the online criminal marketplace, often with ongoing technical support, making it accessible to people with minimal ICT knowledge;
- watering-hole techniques (where the adversary places malware on legitimate websites that are frequented by their ultimate targets);
- ransomware (extortion through the use of malware that typically locks a computer’s content and requires victims to pay a ransom to regain access);
- Denial of Service (the prevention of legitimate access to online services (typically websites) by consuming the amount of available bandwidth or the processing capacity of the computer hosting the service); and
- hacktivism (malicious cyber activity conducted by issue-motivated groups or individuals for the purpose of promoting a particular cause or targeting a particular person or organisation associated with an issue or cause).
Helpfully, the Threat Report provides case studies along the way to assist readers to better understand the different types of targeting activity.
One of the most practical aspects of the Threat Report is its section on mitigation, which separates out the different methods of targeting, outlining specific strategies on how to best deal with them. At a technical level, the Australian Signals Directorate’s (ASD) Strategies to Mitigate Targeted Cyber Intrusions provides specific strategies that organisations can implement to reduce vulnerability. The Top 4 of these strategies – application whitelisting, patch applications, patch operating system vulnerabilities and restricting administrative privileges – are regarded as “essential”, as roughly 85% of targeted cyber intrusions could be prevented by their implementation.
Cloud computing services are subject to similar threat vectors as traditional ICT service models, and can introduce additional cyber security threats to an organisation’s information. In June 2014, hosting service Code Spaces was put out of business when a cyber adversary used the company’s legitimate cloud login credentials to irretrievably delete company data from its cloud service provider (CSP). When weighing up the pros and cons of engaging a CSP, you need to be aware of risk factors like:
- Where your data may reside. Are the CSP’s servers onshore or offshore? Is the data subject to lawful access by a foreign government? Is this an issue for your organisation, having regard to the data hosted by the service provider and the fact that Australia has mutual legal assistance treaties with many countries that allow foreign governments to obtain access to data held in Australia?
- How many locations your information will be stored in. Storing information in multiple, disparate locations and allowing more people to access it can increase the opportunities for information and networks to be compromised.
- Who else stores their information on the servers. Cloud computing is, by nature, multi-tenancy, meaning multiple customers are hosted on the same infrastructure. This increases the potential impact of unauthorised access or network compromise, which many service providers mitigate by implementing security practices that are substantially more robust than would typically be deployed by organisations with responsibility for their own security efforts.
One of the key themes coming out of the Threat Report is that cyber adversaries are constantly improving and adapting their tradecraft in their attempts to defeat our network defences and exploit the new technologies we embrace. The ACSC’s short term prediction is that all of the following will increase:
- the number of state and cyber adversaries with capability;
- the sophistication of cyber adversaries, making detection and response more difficult; and
- electronic graffiti, such as web defacements and social media hijacking, designed to grab a headline.
Having said that, and whilst the ever-changing nature of technology offers significant opportunities and challenges for Australia’s cyber security, robust cyber defences can continue to allow a high degree of confidence in network and information security. Through support and collaboration, cyber defenders can make it more difficult for adversaries to succeed. The building of partnerships to improve collective understanding and capability will be a key factor in our ability to remain resilient from cyber threats in a sophisticated environment.