ASD refreshes cyber guidelines
Dan Tehan: Cybersecurity "underpins innovation, growth and prosperity in a modern digital economy"
The Australian Signals Directorate has updated its baseline cybersecurity procedures for the first time in three years, with the government intelligence agency now advising all businesses to disable Flash and utilise ad blockers.
The update came as Parliament finally passed legislation to introduce mandatory data breach notification rules for all organisations governed by the Privacy Act.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed the Senate this week after three years of trying, and will require agencies and organisations to inform the Australian Information Commissioner and impacted individuals of an “eligible data breach”.
So it’s probably a good time for these organisations to introduce the ASD’s cyber threat mitigation strategy, which has been revamped and expanded to include eight core tactics to prevent up to 85 per cent of cyberattacks.
The Top Four cyber threat mitigation strategy was first released in 2011 and outlined the basic things all businesses and government agencies can do to mitigate risks.
The new list, released earlier this week, now consists of the “Essential Eight” defences to prevent “ransomware and external adversaries with destructive intent, malicious insiders, business email compromise and industrial control systems”.
“The eight mitigation strategies are so effective at mitigating target cyber intrusions and ransomware that ASD considers them to be the cybersecurity baseline for all organisations,” the ASD report said.
“Implementing the Essential Eight mitigation strategies can save organisations considerable time, money, effort and reputational damage compared to cleaning up after a compromise.”
The ASD’s cybersecurity guidelines are mandatory for all government agencies, and are used by a large number of private enterprises. They are based on the intelligence agency’s experiences with responding to cybersecurity incidents, vulnerability assessments and penetration testing of Australia government organisations.
The guidelines were updated to meet the changing threats of the cyber world, and have now been expanded far beyond the original aim to prevent “targeted” attacks.
The updated baseline includes the mandatory use of multi-factor authentication, the blocking of browser access to Adobe Flash player and online advertisements, and the disabling of untrusted Microsoft Office macros.
The government’s data breach notification scheme will not apply to state government organisations, local councils and any organisations turning over less than $3 million annually, despite last minutes attempts by the Greens to expand its scope.
Under the new scheme, which will be introduced within a year, organisations that have been breached or lost data will have to report it to the Privacy Commissioner and notify customers within 30 days, including a description of the incident, what kind of information is involved and how they should respond to it.
Those who do not will face a fine of up to $1.8 million.
According to the bill, a data breach is defined as when there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.
The Federal Government has made cybersecurity a core component of its digital transformation and technology policies, Minister Assisting the Prime Minister for Cyber Security said.
“Strong cybersecurity is important for Australia’s economic wellbeing and our national security,” Mr Tehan said.
“It underpins innovation, growth and prosperity in a modern digital economy. The government has put cybersecurity at the forefront of its agenda and these mitigation strategies complement the broader work underway as part of the Cyber Security Strategy.”
Prime Minister Malcolm Turnbull recently dubbed cybersecurity the “new frontier of warfare” and announced unprecedented intelligence briefings from the ASD to all Australian political parties.
The ASD will be providing information to political leaders on cyber vulnerabilities and safety measures that should be employed.
The government’s flagship $32 million Cyber Security Growth Network opened its doors last month, led by former Atlassian security head Craig Davies who will aim to transform cyber threats into a “very pragmatic thing”.
The Australian Signals Directorate’s Essential Eight:
- Use application whitelisting to allow only approved software applications to run
- Patch applications to fix security vulnerabilities in this software
- Disable untrusted Microsoft Office macros
- Block web browser access to Adobe Flash player, online ads and untrusted Java code
- Restrict admin access to only those who absolutely need it
- Patch operating systems to fix vulnerabilities
- Use multi-factor authentication
- Backup important data daily