Many government agencies hold confidential information about their business operations, plans, contracts, and negotiations which has potential commercial value. They also collect and store vast amounts of personal information about individual citizens including tax file numbers, driver’s licence numbers, criminal and legal records, health details, and certain financial details.

Agencies have a responsibility to ensure this information is protected from unauthorised access or inappropriate use, and the public rightly expects that their personal details are secure. In today’s hyperactive cyberthreat landscape, protecting information from cyberattack is more challenging than ever before.

Government exposure to cyberattacks is increasing

The public and businesses are increasingly interacting with government agencies through websites, for example to request or pay for services or apply for licenses, and this potentially exposes government systems and information to attack from anywhere in the world. Because the Internet serves as a gateway into an agency’s internal computer networks, public facing web servers can be compromised to allow access to information stored within internal networks. Exposure also extends across the entire connected network – from laptops and desktops to databases and multi-function printers. Factors such as staff mobility, use of social networking sites and employee-purchased mobile devices like iPads and iPhones also increase the risk.

The greatest threats now come from inside a network

The most signifi cant threat reported by organisations when protecting their sensitive information was data leaked accidentally or intentionally by employees. Employees’ adherence (or lack thereof) to security policies, standards, and procedures is considered to be the greatest challenge to organisations’ information security.¹

A study conducted by RSA last year revealed that a high number of employees’ computers within some of the world’s largest organisations were infected with malware. RSA found that 88 per cent of the US Fortune 500 companies demonstrated botnet activity associated with their domains and 60 per cent had e-mail addresses
compromised by malware.²

End-point security struggles with protecting against more simple form attacks such as data stealing Trojans, which is why you can fi nd so many examples of employee computer devices compromised with a Trojan that grabs the corporate data and stealthily sends it to the Trojan mothership halfway across the world.³

Cyberattackers now targeting government organisations

The attacks against the Australian Parliament, Mosman Council, Australian Associated Press, BHP Billiton, Rio Tinto, Fortescue, Distribute, IT, NetRegistry, Sony, Google, International Monetary Fund, CIA, NATO, and many others indicate that government agencies are vulnerable to attack. Verizon investigated four-fold more government
breaches in 2010 than in 2009.⁴

Government agencies, due to their involvement in local and regional economic activities, should expect to come under attacks that go after tax revenues, internal  document stores, email archives, and other databases. The motivation for attackers ranges from financial gain, competitive advantage in business and trade negotiations, economic advantage in a region or industry, personal information for identity theft, and hacktivism (attacks motivated by politically driven causes).

A startling example of a government cyberattack is the Gregg County, Texas Tax Assessor’s Office, infected with the Zeus Trojan in late 2010, which allowed Russian cybercriminals to hijack local tax payment transactions totalling $690,000.5.

In addition to defacement and distributed denial of service (DDoS, the latest “fashionable” activity) government agencies are likely to face new kinds of sophisticated attacks. Information theft, stolen and then disclosed to discredit political opponents, will certainly increase. More groups will repeat the Wikileaks example, as hacktivism is conducted by people claiming to be independent of any particular government or movement.⁶

How are cyber attacks mounted?

Below are some of the strategies and tactics used in cyberattacks.

Microsoft and commonly used software - Cybercriminals tend to target Microsoft because its Office and Internet Explorer solutions are ubiquitous. Many users view this software as an integral part of the Windows platform, rather than separate software that may need a separate regime of updating and patching. Recently cybercriminals targeted Adobe to enable malware distribution, as its PDF Reader and Flash player are also widely, if not universally, installed.⁷

Social media - As both consumer and business users fl ock to social media and networking sites, we expect to see increasingly more targeted abuses of personal identity and data. Social media connections will eventually replace email as the primary vector for distributing malicious code and links. The massive amount of personal information online, coupled with the lack of user knowledge of how to secure this data, will make it far easier for cybercriminals to engage in identity theft and user profi ling.⁸

Web-attack toolkits - A growing proliferation of Web attack toolkits drove a 93% increase in the volume of Web-based attacks in 2010 compared to 2009. Shortened  URLs appear to be playing a role. During a three-month observation period in 2010, 65% of the malicious URLs observed on social networks were shortened URLs.⁹

Trusted and popular websites - The majority of web threats are now delivered from trusted and popular web sites that have been hacked for use by cybercrime. The web sites we trust are cybercrime’s entry points into our lives. Given that web sites today contain thousands of dynamic web links to various content types and sources, innovations like malvertising now rank as the second most popular web threat delivery method halfway through 2011.¹⁰

Fake antivirus and software updates prevail with malvertising attacks. The 13-month study released by the Google Security team in late April 2010 on the distribution of fake antivirus shows that it accounts for 15 per cent of all malware they see on the Web. The Fake Update is mainly driven by a fake video codec or software updates, ties into social networking and sharing photos and videos between friends, plus searches for adult or pornographic material.¹¹

How to protect your agency

One of the best defence strategies against cyberattack is to assess the effectiveness of your internal people, process, technology and organisational controls to understand your current state of security. Once you have determined where gaps exist, you should give serious consideration to the variety of practices and tools below for applicability to your agency and particular security state.

Review recent cybercrime intelligence - Cybercrime intelligence can help prioritise defensive actions, identify emerging threats, and spot unmapped vulnerabilities. There’s a variety of sources available: RSA Cybercrime Trends Report, Verizon Data Breaches Report, Cisco Global Threat Report, Symantec Internet Threat Report, Sophos Security Threat Report, McAfee Threats Predictions, Microsoft Security Intelligence Report, and many others.

Executive briefing sessions – Your senior management needs to be informed of the impending cybersecurity threat. Making the business case for the people, process, and technology the security team requires is challenging, especially since cyber threats are still a vague concept for some influential executives. Ways to help get the support you need is to present case studies on real incidents at other agencies and companies, benchmarking against your peers, security risk assessments, and security investment metrics.

Restart your security awareness program – Your agency’s greatest vulnerability is its people. Mandate periodic refresher training for all employees (including managers and senior executives), contractors and users; all new employees (including managers and senior executives), contractors, and users; and the distribution of security and technology code of use policies detailing rules and expected behaviours to all affected personnel.

Integrate information security into your agency’s overall risk management function – This increases understanding of organisation risk management expectations, activities, and methods that are relevant to information security. Also helps identify gaps and specific information security risk management practices that should be updated or created to meet agency risk management expectations.

Asset management – You have to create and maintain a complete, accurate, and up-to-date prioritised inventory of your systems. Without one, you cannot effectively manage information controls across the organisation and implement an effective security program. The inventory must include identifi cation of the interfaces between all other systems or networks, including interfaces not controlled by your agency. The inventory is also needed to effectively track agency’s systems for annual testing and evaluation and contingency planning.

Configuration management compliance – By combining file integrity monitoring with comprehensive compliance policy management for IT configuration control, this helps ensure critical IT configurations are aligned with security best practices and policies. Also detects changes that cause these configurations to deviate from their “known good” state and corrects poor configurations to reduce the risk of exploits and breaches.

Develop a comprehensive vulnerability management program - Combining vulnerability, severity, and asset criticality information will help quickly identify, rank, and address violations and vulnerabilities on systems and devices. Automatically ranks the risk potential of new threats by correlating events to asset and vulnerability data.

Network segmentation and zoning – To remediate your fl at internal network. Flat networks make it easy for cybercriminals to freely move around and find the data they’re after through any machine on the network. An agency’s network is composed of users, devices, and systems with varying security requirements with regard to confi dentiality, integrity, and availability so it’s logical to separate higher risk entities from lower risk entities and group like entities requiring common protection  strategies. Your agency should set up functional zones to isolate critical assets and compartmentalise the network environment.

Install a security information and event management (SIEM) system – The role of SIEM in the defence arsenal cannot be understated. The volume, velocity, and variety of log entries and events in your IT environment require an automated way of centrally collecting and analysing security data from heterogeneous devices. It is an essential component to proactively detect and identify incidents and track them by consolidating, analysing, and correlating event information across the entire infrastructure.

Develop security plans for internal systems – Systems such as your perimeter network, data storage, applications and databases, TRIM, networking infrastructure, etc. Security plans translate business, risk and compliance requirements into an overall information security plan. The plan and related policy should cover all major components of systems and facilities and should outline the duties of those who are responsible for overseeing the security management function as well as
those who own, use, or rely on the particular system’s resources.

Use 2-factor authentication for all privileged user accounts (including systems administrators and business users) – Protects systems from threats coming from inside the agency through the security management of users and groups that have privileged access to critical resources. Logs authentication activity to protect the enterprise from the possibility of abuse, data theft or fraud by privileged users.

For identity monitoring, focus on privileged user accounts – Sophisticated attacks cannot succeed without taking over administrative accounts. Regular monitoring of these accounts helps to ensure the integrity of agency wide security and protects against privilege escalation used in attacks. All administrative domain or systems level users and groups and all local administrative users and groups on sensitive servers should be monitored on a continuous basis.

Increased vigilance with privileged access revalidation – User revalidation procedures (routine department manager review of subordinates’ access privileges) and data/system owner revalidation procedures (routine data owner review of user access privileges) should be routinely performed for all privileged users.

Removable media device control – Allows greater visibility and control or information leakage by restricting and logging all information copied to removable media. Allows an administrator to manage the use of removable media storage devices such as USB sticks, external hard disks, optical media drives (CD / DVD / Blu-ray), etc.

Removable media encryption – Allows administrators to set and enforce an encryption policy for removable media including device activity and file movement. Logs are stored in a central database, enabling centralised auditing and compliance reporting. Devices to consider encrypting include USB flash drives, external hard drives, smartphones/ PDAs, iPods, CD/DVD drives, etc.

Network forensics and data analytics – Provides real-time visibility into network activity including insider threats, zero-day exploits, targeted malware, APTs, espionage, fraud, data leakage, continuous monitoring of security controls, and adding effi ciency to incident investigations and workfl ow. Analyses malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions.

Data Leak Prevention – Enforces policies for sensitive data transmitted through corporate e-mail, webmail, instant messaging, HTTP, HTTPS, or any generic TCP/IP protocol. Provides a set of technologies and inspection techniques used to classify information content contained within objects such as a file, email, application or data store while at rest, in use, or in transit across the agency network.

Virtual environment security assessment tool – Assess the virtual infrastructure to identify key security risks based on VMware’s security hardening guidelines as well as directives such as ISO27005, CIS benchmarks, US DISA STIG, and others. Provides detailed remediation guidance, reporting for auditing and compliance requirements, and a graphical dashboards of the security state of the virtual environment.

Penetration testing and social engineering exercises – The purpose of penetration testing is as an auditing tool – a validation that existing practices and procedures are sufficient to protect the network. Like vulnerability assessment, a successful penetration indicates some systemic flaw in network security policies or practices.

Conclusion

Defending against cyberattacks can be a daunting task. Your challenge really depends on the type of information you use and store in your agency network.

Cyberattackers will use sophisticated attack techniques and highly effective malware. Systems most vulnerable to these types of attacks are portable media, laptops and desktops, which provide a gateway to attacks on other critical systems. However it’s not simply a case of a particular technology guarding against one type of attack. Today, everything is interlinked.

With sophisticated attack scenarios, the security environment of the future will shift away from the fortress model of security strategies. We must not only prevent-detect-respond, but also live continuously in a threatening situation and still run operations. In dealing with a highly sophisticated, deeply resourced adversary, security is more akin to a counter-intelligence function of which technology plays a major part, but is not the whole solution.

The protection strategies identifi ed here should help you bring together people, processes and technologies to provide your agency with more comprehensive protection in the new normal of cyberspace.

About the author: Keith Price is Director and Principal Consultant  at Black Swan Consulting Group and the National Director of the Australian Information Security Association. He has 25 years’ experience in IT and specialises in information security strategy, governance, architecture, and assurance. He has substantial experience advising government agencies in all aspects of information security. Keith’s qualifi cations include BBus, MSc, CISSP, CISM, and CGEIT.

For more information and assistance, contact Keith at keith@blackswanconsulting.com.au

References

1. - McAfee/SAIC Underground Economies 2011
2. - RSA 2011 Cybercrime Trends Report
3. - http://blogs.rsa.com/rivner/anatomy-of-an-attack/
4. - Verizon Data Breaches Report 2011
5. - http://www.bankinfosecurity.com/articles.php?art_id=3178&;pg=1
6. - McAfee 2011 Threats Predictions
7. - Sophos Security threat report 2011
8. - McAfee 2011 Threats Predictions
9. - Symantec Internet Threat Report XVI Trends for 2010
10. - Blue Coat Mid-Year Security Report 2011
11. - Blue Coat Web Security Report 2011