Securing Australian Government Assets in 2020: Part 1

Understanding Cybersecurity Posture across the Commonwealth 

The Australian Signals Directorate (ASD) recently published The Commonwealth Cyber Security Posture in 2019 report highlighting the number and type of incidents responded to, as well as some of the programs that have been put in place to help improve the security of commonwealth entities. Regardless of the debatable increased political pressure for further transparency into individual departments, the report’s aggregated and anonymized data clearly illustrates the need for better protection of citizen data. With the recent announcement from the Prime Minister and Minister of Defence on public and private sector organisations targeted by a sophisticated cyber actor and only small evolutionary gains made against current measured criteria, raising the bar may need revolutionary change.

Here at Illumio, we’re proud to be part of strategic discussions and security programs working across Australia and New Zealand directly with agencies and departments as well as the security systems integrators and managed service providers, such as Cirrus Networks, that are often the engine room of these IT teams.

Despite most entities now stating they are able to accurately identify the number of “cyber security events and incidents” they suffered per day or week (often hundreds per day) – 73 percent of non-corporate Commonwealth entities report only ad hoc or developing levels of maturity for baseline security disciplines in response to such threats.

The reporting done over the last seven years makes it quite clear that even with improvements, our Federal government systems are vulnerable to cyber threats – and – additional work is required for Commonwealth entities to reach a mature and resilient cybersecurity posture that meets the evolving threat environment.

As reported in these findings, a diverse range of incidents and evolving IT landscapes require constant evaluation and adjustment of security. Continuing with a point solution approach to securing an agency against attacks requires a plethora of tools, skills, and personnel. In many cases, organizations would benefit from a more holistic architectural approach to Cyber Resilience, such as Zero Trust. Gaining significant momentum in US Federal departments not only focuses thinking on assuming and planning beyond breach, instilling least privilege principles across the broader security disciplines but helps through overarching strategy to reduce the “expense in depth” of siloed tools and teams. Gaining significant momentum in U.S. Federal departments, this approach not only focuses thinking on assuming and planning beyond a breach, but it instills principles of least privilege across the broader security disciplines to reduce the “expense in depth” of siloed tools and teams.

As the corporate world has discovered, municipalities should focus on preventative containment strategies that reduce the impact or blast radius when breaches do occur. This is particularly important as departments continue to uplift their expected baseline security levels and when there is evidence of motivated and sophisticated adversaries deliberately targeting Australia in order to obtain information on: defence capabilities; cutting-edge Australian research; valuable intellectual property; and the personal and financial information of Australian residents and Government staff.

One item that stood out that represents a consistent finding across most enterprises, state, and Federal agencies is that Commonwealth bodies have inadequate visibility of their information systems and data. With most agency IT teams needing to and progressing with modernising their data center technologies through approaches like software-defined networking (SDN), virtualization and containerisation layered with automation and orchestration platforms to achieve more agile application development, it is no wonder it continues to be exponentially more difficult for operations and security teams to keep track of the dynamic application environment and the existing security blind spots.

Preventing unvetted and untrusted Microsoft Office Macros from being run, application hardening on user workstations, multi-factor authentication on RDS sessions, and patching web-facing servers are important hygiene tactics, and it is good to see marked improvement in these areas. However, those are only some of a multitude of threat vectors attackers use, including other copy-paste style attacks on known vulnerabilities as well as other zero-day threats that continue to be found and exploited. Preventing the damage of breaches when they occur (and they inevitably will) requires understanding how that attacker could then move laterally from the established foothold, regardless of how they established it, to the systems managing sensitive data within the hundreds and thousands of servers each department runs.

Only once you understand what your applications are, where they are hosted, and how they are interacting with each other, can you start to take control of those assets and define and deploy the most effective security posture.

Cirrus Networks’ CTO Andrew Weir concurs that he is “regularly asked by customers how they might gain more visibility into what is happening within applications upon their systems and networks. Often these applications were developed on legacy systems and then integrated into new infrastructure at a later date. For larger IT departments validating and managing the efficiency and security of applications can be difficult. Understanding what your applications and users are doing in your environment is crucial to good decision making. Without this visibility it is hard to determine where limited resources should be spent.”

With network security traditionally focused on North-South traffic through the perimeter, agencies are being measured on preventing the establishment of command and control from occurring, but are not yet embedding the Essential Eight security disciplines. Attackers who successfully breach the external firewall often have no further restrictions once inside the network. In other words, hackers can cherry-pick their way in and are then free to move laterally through the network until they reach their targets.

Despite not being in the Essential Eight, it is an “excellent” recommendation in the broader set of Limiting the Extent of Cyber incidents. Effective network segmentation for the modern data centre and containment strategies at the heart of Zero Trust are becoming (and must continue to be) prioritised as a vital and fundamental piece of each department’s ongoing security strategy. This will help to bolster resilience as the low water mark baseline levels are reached.

The way agencies are currently asked to evaluate and report on their security posture drives qualitative measures and, ultimately, approaches or products that make them “more compliant, improve their security, or provide a better way of detecting threats.” With that said, “more”, “improve,” and “better” are all qualitative measures and predominantly self-assessed. Do these initiatives provide, and can they be linked to, quantitative improvement in the resilience of IT systems against malicious attack, be it nation-state or the ever-popular ransomware of cyber criminals?

Chosen well, microsegmentation not only ensures that you are drastically increasing the difficulty for attackers to reach and exfiltrate valued data – with proven quantitative benefits – it does so without needing additional staff or the effort and financial burden of traditional large-scale security initiatives that this report highlights are the commonly reported obstacles.

But more about that in part 2 of this series.

Although specific details of specific attacks weren’t mentioned, and the source of the recent increase in volume of attacks not publicly attributed to anyone, Prime Minister Morrison’s recent press release certainly should be taken by Australian government departments and enterprises as a wakeup call, as much as it is perhaps a notice to those responsible to say, “we know what you’re up to.”

If you’re not already engaged, reach out to Illumio and Cirrus and check out the next installment for how you can take the Defense Minister’s advice: “take steps to protect your own network” and plan beyond the tactical recommendations for the recent attack vectors to limit the opportunity and impact of future breaches.

And for more information on how microsegmentation with Illumio works, visit https://www.illumio.com/products/illumio-core