DSD: Security defenders at the gateway
The protective-security mission statement of the Defence Signals Directorate (DSD) may keep much of its activities out of the public sphere, but the Department of Defence intelligence operation is front of mind for the many government ICT managers that rely on its information security Manual (ISM) to guide their own security policies and practices.
ISM, known as ACSI 33 until 2005, is available online in a variety of formats to facilitate easy perusal or more comprehensive reference. in recent years, however, the manual’s scope and composition have expanded dramatically as the document evolved due to the increasingly specialised information- security threats on the landscape.
Informed since 2010 by the activities of DSD subsidiary operation the Cyber security operations Centre (CSOC), the new ISM guides government departments in a wealth of areas. But with mobility, virtualisation, cloud computing and other trends creating new threats and attack vectors every day, how does DSD keep this seminal information-security manual up to date? We spoke with a DSD spokesperson to find out.
GTR: How would you characterise the overall security awareness across government departments?
DSD: DSD has seen significant improvements in ICT security across government due to raised awareness of the cyber threat, coupled with concerted efforts by government agencies to implement the top four strategies to mitigate targeted cyber intrusions.
DSD estimates that around 85% of targeted cyber intrusions could be prevented by implementing the top four mitigation strategies contained in this document. Nevertheless, securing large networks is a complex issue which requires an ongoing effort, both in user education and system improvements.
GTR: Where are the boundaries of DSD’s role as a trusted security advisor to government?
DSD: The principal legislation governing the DsD’s activities is the intelligence services act 2001, which sets outs its functions relating to information security as:
- Provide material, advice and other assistance to Commonwealth and state authorities on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means
- Provide assistance to Commonwealth and state authorities in relation to cryptography, computer and communications technologies, other specialised technologies acquired in connection with the performance of its functions, and the performance of search and rescue functions by Commonwealth and state authorities.
DSD’s role providing information security material, advice and assistance does not negate the importance of the role that government agencies themselves need to play. agencies are responsible for applying DsD advice to develop their own policy and processes, based on their unique threat environment, business requirements and risk appetite.
GTR: How involved are government departments in the maintenance of the ISM?
DSD: DSD recognises that cyber security requires a collaborative approach across government. Australian government agencies have the opportunity to provide comment on the draft ISM prior to each release, and feedback from ISM users has proved invaluable in improving the depth and clarity of DSD advice. DSD also receives regular client feedback on the ISM throughout the year, which is considered and, where appropriate, incorporated before each update.
"Around 85% of targeted cyber intrusions could be prevented by implementing the top four mitigation strategies contained in this document."
GTR: How has the ISM changed in response to the flood of new malware and attack vectors?
DSD: DSD believes embracing emerging trends in technology – such as cloud computing, BYO devices, virtualisation and so on – provide government with a genuine opportunity to conduct its business more efficiently. However, the threat of government being stolen or compromised is also very real.
Malware-driven botnets, DDOS attacks and 0-day exploits are real and increasing threats. australia is experiencing increasingly sophisticated attempts to infiltrate networks in the public and private sectors. The CSOC provides government with a greater understanding of cyber threats against australian interests and provides response options for significant cyber events across government and systems of national interest.
The ISM is updated to help agencies manage these threats. an example of this is the addition in the 2012 release on ‘ensuring service continuity’ to address concerns about DDOS attacks.
Although common assessments can be made about the threat landscape, a one-size-fits-all, checklist approach to information security is not feasible in today’s environment. DSD understands the need to develop flexible advice, and the ISM now places greater emphasis on applying risk-based decision-making within government agencies. This allows agencies to build an accurate picture of their threat profile, and understand where to focus their attention for maximum effect.
The ISM has developed to a three-tiered product suite, comprised of an executive Companion, Principles document, and Controls Manual. This format provides more detailed rationale behind why controls are required, makes the isM accessible to more users, and ensures that the people making the decisions in an organisation are involved in countering threats to their information and systems.
GTR: What flexibility does the ISM provide to accommodate new threat profiles?
DSD: The advice contained within the ISM is based on the activity and threats DSD sees on australian government networks. This advice is continuously updated in response to this threat environment as it evolves. DSD releases ISM updates as necessary based on what we see with respect to emerging technologies and changes to the threat environment. A major update of the ISM occurred in 2012. DSD has focused on improving the depth and clarity of the technical advice in the Controls Manual. The 2012 ISM continues DSD’s ongoing review process to ensure ISM advice continues to meet agency needs and the evolving threat environment. [quote style="1"]A one-size-fits-all, checklist approach to information security is not feasible in today’s environment.[/quote] In conjunction with the ISM, DSD also produces information security advice to allow us to quickly communicate information on current threats and mitigation strategies to australian government agencies.
GTR: Apple’s iOS mobile operating system recently received DSD accreditation for use in low-security government environments. Why did this happen after so many years in which it was available, and why was it not accredited for higher security clearances?
DSD: iOS security has improved with each version, and with the release of an Apple management tool on 7 March 2012, DSD were able to complete its evaluation to ensure the ios met the security requirements to communicate and store information up to the PROTECTED classification. A product is required to be submitted before DSD can begin an evaluation processes, and the submission was to evaluate ios for the communication and storage of information up to PROTECTED. DSD has now successfully developed a way to configure these devices for agencies to communicate and store information up to the PROTECTED classification. Currently, no commercial mobile devices have been submitted for evaluation above PROTECTED.
GTR: EAL/Common Criteria evaluation has long been the benchmark for government security – but it has been seen as extremely expensive and burdensome. How is DSD adapting EAL processes to keep up with the rapid acceleration of technology?
DSD: DSD recognises the need for faster evaluations without sacrificing security standards, and is working with the international Common Criteria community to develop comprehensive standardised security requirements for evaluation. The requirements are captured in documents called Common Criteria protection profiles. These are tailored to a specific technology, and can be developed significantly faster than traditional evaluations. DSD intends to develop DSD protection profiles for all main security technologies for government.
This feature was originally published in the April/May 2012 issue of Government Technology Review.
A consistent, high standard of personal information handling practices is needed to meet...
Agencies must accept the need to shift to the cloud and therefore choose a solution that properly...
South Australia's Auditor General has uncovered a range of deficiencies in the IT security of...