Rationale
Software may contain flaws and vulnerabilities which are able to be exploited by a malicious actor. These vulnerabilities can not only be used to gain unauthorised access to classified or sensitive information, but also to undermine the integrity or availability of an agency’s information—such as by targeting an agency’s public website to disrupt access or modify its content for malicious purposes.
Installing antivirus software and software–based firewalls that limit inbound and outbound network connections are good first steps in reducing the risk of compromise. However, software security degrades over time as malicious actors discover new vulnerabilities and exploits, and these measures cannot be relied upon by themselves to protect workstations.
Ensuring software and operating system patches are up to date, and antivirus and other security software is appropriately maintained with the latest signatures, helps address new vulnerabilities as they emerge.
Agencies can also implement measures to help protect their systems from unknown vulnerabilities, such as malicious code not yet identified by antivirus or software vendors.
Restricting the running of applications on a system to only those that are specifically authorised provides increased protection against the execution and spread of malware. This is known as application whitelisting.
Moreover, by limiting the promulgation of information about what software has been installed on systems, agencies can help prevent a malicious actor from gaining knowledge of how to tailor potential attacks to exploit a particular vulnerability.
Database systems contain a wealth of information, and are therefore highly desirable targets for cyber intruders, as compromising them can have significant and immediate payoffs.
Implementing appropriate security controls will reduce the risk of unauthorised individuals accessing agency information held in databases, and accordingly reduce the risk involved with data aggregation.16
Scope
This chapter describes the importance of implementing and maintaining proper software security on agency systems.
16 verizon, Data Breach Investigations Report, 2012.
Web applications third of total data loss.17
DID YOU KNOW? Web applications are the third third of total data loss.17
DID YOU KNOW?
PRINCIPLES : S OF T WARE S ECURITY
Principles
1. Software Security
Maintain the confidentiality, integrity and availability of agency information and protect against the execution and spread of malware by implementing appropriate software security measures on systems.
Software vulnerabilities can be exploited by a malicious actor to gain access to agency information or to undermine its confidentiality, integrity or availability. Measures such as segregating networks and systems or limiting system privileges will assist in minimising the spread of malicious code or the damage it could do to an agency’s system. Even though web applications may only contain information authorised for release into the public domain, it is important to ensure security measures are incorporated to protect the integrity and availability of the information and the systems it is hosted on and connected to.
2. Known Vulnerabilities
Maximise software effectiveness and minimise vulnerabilities by implementing and routinely updating preventative measures, such as applying system and software patches, keeping antivirus signatures up to date and only running supported software.
Software security will degrade over time as malicious actors continue to discover new vulnerabilities and exploits. It is important that agencies monitor available information regarding new known vulnerabilities and apply the security patches released to address them as part of their risk management program.
Patching operating systems and applications are highly effective measures to prevent malicious actors from exploiting known vulnerabilities. Accordingly, these are two of the Top 4 Strategies in ASD’s list of Strategies to Mitigate Targeted Cyber Intrusions.17 3. Unknown Vulnerabilities
Maintain the confidentiality, integrity and availability of an agency’s information by removing, disabling and preventing the execution of unauthorised, unused or undesired software or software functionality wherever possible.
Restricting access to or disabling unauthorised, unused or undesired software or functionality effectively limits a malicious actor’s opportunity to exploit software vulnerabilities. Application whitelisting, which enables only specifically selected applications to be activated, is one of the most effective approaches in countering unknown risks. An average system user requires
In April 2013, more than 600,000 Mac users found themselves recruited into the global
Flashplayer botnet due to a Java vulnerability left unpatched on OS X for far too long. Within weeks, another vulnerability was found in Java's secure application sandbox for versions 5, 6 and 7. This new exploit put 1 billion devices at risk.18
DID YOU KNOW?
In April 2013, more than 600,000 Mac users found themselves recruited into the global
Flashplayer botnet due to a Java vulnerability left unpatched on OS X for far too long. Within weeks, another vulnerability was found in Java's secure application sandbox for versions 5, 6 and 7. This new exploit put 1 billion devices at risk.18
DID YOU KNOW?
PRIN CIPLES : S OF TWARE S E CURITY
Restricting the user’s permissions to running a limited set of trusted applications significantly reduces the opportunities available for attacking a system and provides an effective
mechanism to prevent system compromise due to the execution of unauthorised or malicious software. Accordingly, application whitelisting is one of the Top 4 Strategies in ASD’s list of Strategies to Mitigate Targeted Cyber Intrusions.
4. Databases
Protect database systems and their contents from theft, corruption, loss and unauthorised access by hardening through technical measures, administrator and user policies and regular audits.
Using supported and patched database software, securely configuring database software and stringently controlling database access will assist in protecting the contents of databases.
Assessing agency business requirements before storing sensitive information on databases is imperative, as this can impact an agency’s risk profile. Additionally, removing pre–configured default settings and placing database servers on a different network segment to agency corporate workstations will improve database security.
References
Further guidance on ASD’s Strategies to Mitigate Targeted Cyber Intrusions can be found at www.asd.gov.au/infosec/top35mitigationstrategies.htm.
P RINCIPL ES: E MA IL S ECURITY