ACSC programs and advice are being migrated to cyber.gov.au (see sidebar)

Cyber Security for Contractors

Download ACSC Protect: Cyber Security for Contractors (PDF), March 2018
First published 2012 (as Cyber Adversaries Targeting Defence Contractors); updated 2017 and March 2018

Introduction

  1. Adversaries regularly target Australian Government information held by contractors, both classified and unclassified, in an attempt to gain an economic or strategic advantage.
  2. This document has been developed to assist contractors with appropriately securing Australian Government information on their systems.

Contractors hold valuable information

  1. Foreign intelligence services are the foremost cyber threat to Australia. Such adversaries seek both national security and commercial information to identify vulnerabilities in Australian capabilities or to further their own economic or strategic advantage.
  2. Contractors, both in Australia and overseas, have reported significant increases in malicious cyber activity against their systems and are priority targets for adversaries (Washington Post: Confidential report lists US weapons system designs compromised by Chinese cyberspies). Often the value to an adversary of the information contained on a contractor's systems is not immediately evident. Unclassified information can still be sensitive; in particular, wholesale aggregation of unclassified information can present a threat to Australia's interests.
  3. Examples of adversaries compromising contractors include the compromises of:
    1. US aerospace company Boeing, which resulted in gigabytes of information relating to 32 US projects, including information on the Lockheed Martin F-35 and F-22, as well as the Boeing C-17 aircraft, being sent to China (The Register: Chinese hacker jailed for shipping aerospace secrets home).
    2. US security vendor RSA, which led to subsequent targeting of US defence contractors Lockheed Martin, L-3 Communications and Northrop Grumman. This cyber security incident is reported to have cost RSA USD90 million (Ars Technica: RSA finally comes clean: SecurID is compromised).
  4. Cyber intrusion techniques are many and varied. A common cyber intrusion technique used by adversaries is socially-engineered emails targeting high-ranking members of contractors and their support staff. These emails often aim to exploit common security vulnerabilities such as unpatched applications or operations systems, the use of similar passwords across systems, or the use of personal devices for work purposes. These emails may be sent directly from an adversary or from a supplier or sub-contractor that an adversary has already compromised in order to leverage a trusted relationship with their intended target.

Essential mitigation strategies

  1. To protect information provided by or developed for the Australian Government, contractors should implement the Essential Eight from the Strategies to Mitigate Cyber Security Incidents. This is the cyber security baseline for organisations.
    1. Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
    2. Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with 'extreme risk' vulnerabilities within 48 hours. Use the latest version of applications.
    3. Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate.
    4. User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
    5. Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
    6. Patching operating systems. Patch/mitigate computers (including network devices) with 'extreme risk' vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
    7. Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high­availability) data repository.
    8. Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

Perform regular vulnerability assessments

  1. In addition to implementing the Essential Eight, systems should be regularly reviewed for security vulnerabilities, particularly after significant changes. Vulnerability assessments can be done in-house or by an independent provider using both automated and manual methods.

Consider implementing and sustaining an education program for employees and subcontractors

  1. An education program will provide employees and sub-contractors with a better understanding of common cyber threats such as socially-engineered emails, malicious websites and the danger of poor password policies.

Beware of malicious insiders

  1. Adversaries will often attempt to influence contractors’ employees in an attempt to gain access to Australian Government information or to have them perform actions on a system to benefit their strategic goals. By conducting ongoing vetting of employees, especially for those with privileged access, controlling the ability to remove Australian Government information from systems, and implementing a comprehensive audit program, this risk can be lowered.

Report cyber security incidents early and often

  1. This includes informing the Australian Cyber Security Centre (ACSC) of any cyber security incidents that could potentially threaten Australian Government information. Seeking assistance early can mitigate or reduce a potentially dangerous and embarrassing compromise. By immediately informing the ACSC, assistance can be provided without delay and will contribute to safeguarding Australian Government information.

Use available cyber security resources

  1. Initiatives such as the Defence Industry Security Program (DISP) and the Joint Cyber Security Centres (JCSCs) within the ACSC provide advice and assistance to contractors. The ACSC also publishes a range of cyber security publications.
  2. Sponsorship of Defence contractors into the DISP helps to ensure that Defence contractors provide, and are provided with, appropriate security guidance. Defence contractors with membership to the DISP also have access to the Defence Security Manual (DSM), which details the standards, processes and procedures that direct the application of protective security measures by Defence personnel and external service providers.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems.
  2. The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

  1. Organisations or individuals with questions regarding this advice can contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website, cyber.gov.au, to reflect its new organisation.

Cyber security programs and advice are being migrated to cyber.gov.au. Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies