In Australia, the government provides formal guidance regarding cyber security in the form of the ‘Strategies to Mitigate Targeted Cyber Intrusions’ document, issued by the Department of Defence. This ties with the statutory information security compliance which anyone handling Australian Government data is subject to. They also rank these in order of importance from ‘essential’ to ‘average’ and give some indication of how costly each strategy is to implement and maintain. In light of the continuous evolution of cybercrime, some updates were made to the guidance quite recently.
It’s important to note that this guidance is underpinned by government core policy, which includes statutory requirements for the protection of data. You can read the full details of this on the Attorney-General’s website.
The reasons, evidence and full details surrounding these requirements is also detailed extensively in the Information Security Manual; 328 pages of control measures in all their technical glory. For those of us who need just a basic understanding of the requirements and best practice, the publication and maintaining of the Strategies document is a godsend; in just a few minutes you can understand the top 35 ways the Australian Government requires Agencies to protect data, systems and technological infrastructure; an indication of which steps are more important; and at what expense when sharing Australian Government information and other assets with other governments (including foreign, state, territory and municipal), international, educational and private sector organisations.
The top four strategies given are as follows: 1) application whitelisting 2) patching of applications 3) patching of OS vulnerabilities and 4) restriction of administrative privileges. These are the most fundamental of security concepts, while this might seem obvious it’s something lacking in other information security requirements and in recent attack reports such as Verizon’s it was shown that unpatched vulnerabilities are in fact a major route of attack.
Rather than detail every single strategy listed, we’re going to focus on 24: Server application configuration hardening. When it comes to web applications, this is the most pertinent strategy to note. Hardening of the configuration of a web application would cover checking for any vulnerabilities and making changes at code-level to ensure that the application is configured in the most secure way possible. If carried out correctly, this would dispel high-severity weaknesses such as SQL Injection, Cross-site Scripting, Server-side Request Forgery and XML External Entity Injection vulnerabilities and the other most common forms of web application vulnerability. These are usually identified using a vulnerability scanner.
Further information on this can be gleaned from the appropriate control measures from the Information Security Manual and are as follows.
|1240||0||Sep-12||UD, P, C, S, TS||Must||AA||Agencies must perform appropriate validation and/or sanitisation on all input handled by a web application|
|1241||1||Apr-15||UD, P, C, S, TS||Must||AA||Agencies must ensure that output encoding is performed on all output produced by a web application|
|0971||4||Apr-15||UD, P, C, S, TS||Should||AA||For web application development, agencies should follow the Open Web Application Security Project guides to building secure web applications|
|1239||1||Apr-15||UD, P, C, S, TS||Should||AA||Agencies should utilise robust web application frameworks to aid in the development of secure web applications|
|1275||0||Sep-12||UD, P, C, S, TS||Must||AA||All queries to database systems from web applications must be filtered for legitimate content and correct syntax|
|1277||1||Apr-15||UD, P, C, S, TS||Must||AA||Sensitive or classified information communicated between database systems and web applications must be encrypted|
|1278||1||Apr-15||UD, P, C, S, TS||Should||AA||Web applications should be designed to provide as little error information as possible to users about DBMS software and database schemas|
More than half of these controls are noted as a ‘must’ for compliance purposes. These include: validation/sanitisation of input, encoding of output, query filtering and encryption of data exchanged between databases and web applications. Most of these have also been updated this year, which means they are of particular importance to note. These include most of the ‘should’ controls such as following OWASP guides for development, using robust web application frameworks and for web applications to provide as little error information as possible regarding software and database schemas.
Clearly this information is essential knowledge for any info security officer based in Australia or dealing with the Australian authorities, to whom this guidance also applies, but this also proves useful guidance for anyone fighting cybercrime, giving a level of detail which is unparalleled by most other governmental cyber security guidance.