This is an article written by Paul Kenyon, COO of Avecto, on how the Australian Defence Signals Directorate could teach IT security professionals a thing or two when it comes to operating system and application whitelisting plus privilege controls. It is shared with permission.
The Australian economy – under the respected guidance of its 27th Prime Minister Julia Gillard and her federal team – is carving out a name for itself in the IT security arena.
Whilst this may sound surprising, it comes against the background of Australia’s (as a country) relative youth and the fact that the country has around 22 million citizens: big enough to make its weight felt in international terms, but small enough to be flexible in the modern world of IT matters.
A key example of this is the country’s Defence Signals Directorate (DSD) – Australia’s equivalent to the US Department of Homeland Security – which has analysed some of the attack techniques used by cybercriminals and come up with four main methods of blocking them.
And the Australian government – moving swiftly in response – has started rolling out these techniques across its government IT infrastructre, reportedly to great effect.
The 3rd and 4th techniques centre on the idea of whitelisting, that is, forcing public sector computer users to install only approved (whitelisted) applications and only allowing similarly approved – and risk analysed – emails to be viewed.
This means that, on their office computers, government employees can only access their corporate email and browse a limited number of Web sites, which, in turn – means they have a far less chance of infecting their PCs than `civilian’ Internet users.
Alongside its controlled software and Internet usage approach to IT, the Australian government has also been highly pro-active in quickly patching high-risk security vulnerabilities in both the operating systems and software that its many computers run.
Based on an analysis of its Internet usage during 2010, in fact, the Australian DSD concluded that at least 85 per cent of the targeted cyber intrusions that it responded to during the year could have been prevented by following these four main mitigation strategies.
These four strategies are just part of a 35-point strategy report – Strategies to Mitigate Targeted Cyber Intrusions (http://bit.ly/lvZn7K) – which found that, although resistance to the idea of patching operating systems and software was low, the costs involved on the financial and staff training side of things were still quite high.
That’s not to say that staff response to the report’s recommendations – which included the control over both portable and data devices – was entirely positive. The report’s authors found there was a high degree of staff resistance to the idea that their access to USB sticks and other forms of low-cost data storage were to be restricted.
Despite this, there are signs that staff are now realising that these data security requirements are a normal part of doing business in the public sector and will therefore be the normal IT methodology – both now and in the future.
If we contrast this IT security methodology to that seen in the government and public sector here in the UK – where the emphasis is very much on cost saving, rather than taking a draconian approach to effective security – it can be seen that there is considerable scope for security problems with many UK government departments being encouraged to go down the open source (freeware) route.
There is, of course, nothing wrong with using open software over commercial applications, but most experts agree that at least some of the cost savings accrued from going down the open source route should be re-invested in other aspects of computing security, not least in ensuring those applications are secure enough for general usage.
Unfortunately for computer users in the UK, there are signs that the audit requirements laid down by current governance rules can still be counter-productive in the longer term, as employees are still free to source – and use – just about any software application they wish.
Put simply, where Australian public sector workers are effectively told what operating system and software they will be using in the workplace – and IT governance/security staff can plan and accommodate accordingly – their UK counterparts are allowed carte blanche (within reason) to decide the software they wish to use.
IT purists might argue that this makes for a more efficient IT user base in the UK public sector when compared to their Australian colleagues, but there are real reasons behind the Australian mandate on what operating system and software you can – and cannot – use.
A clear example of this lies in the use of SCADA – Supervisory Control And Data Acquisition – computer control systems seen at the heart of many industrial automation and control systems.
First developed in the 1960s – and really coming into their own with the arrival of the first PCs in the 1980s – SCADA-driven systems are typically found in industrial systems such as energy power plants, electricity supply grids, chemical plans and many other industrial systems that require a high degree of computerised control – but also require total, 100 per cent, systems availability.
This is Mission Critical with a capital M and C. Many businesses claim their IT processes are mission critical, but SCADA control systems are often critical to national infrastructures.
If the national electrical grid goes down, for example, it can cost industry many tens of millions of pounds per hour and – in the case of hospitals, air traffic control systems and the like – can actually place people’s lives in jeopardy.
Despite the fact that a growing number of PC users in the private and public sector are migrating – or have migrated onto – the Windows 7 platform, most SCADA-based systems use a robust and ruggedised version of Windows 98, a 16-bit version of Windows dating back to the late 1980s.
The reason for this apparent luddite approach is quite simple: by using a stable and unchanged operating system which has been fully updated and completed its lifecycle, SCADA-based systems can have their operating system loaded into firmware.
This means that, although there is no equivalent of Microsoft’s `Patch Tuesday’ update programme for Windows 98, cybercriminals cannot easily subvert the code of SCADA-based system, since the firmware-based operating system is fixed – and cannot be updated.
This fully-embedded firmware approach is fairly unique to SCADA-based operating systems, but helps one to understand that a highly controlled operating system and software environment – as mandated under the Australian DSD’s diktat – has a far lower risk of subversion than the free-for-all software approach see in the cost-cutting UK public sector.
Here at Avecto, whilst we understand the impetus behind moving to open source software that a growing number of UK government departments and allied public sector agencies are moving towards as part of their cost-cutting strategy, this does not mean that the Australian ideas enshrined in the DSD report cannot also be applied here in the UK.
This is because the principle on which our security offerings are built is Windows privilege management – namely the control over who has access to specific applications running on the corporate IT platform, as well as the underlying data.
This means, for example, that if the admin team only run their control and security software from within the network perimeter on known PCs, then access to those applications can be locked down to specific on-network computers.
Then, even if a set of admin account credentials are compromised by hackers, they cannot use those credentials from the Internet – they would still have to gain physical access to the terminals used by the admin staff.
This is a similar belt-and-braces approach being adopted by a growing number of banks for online account access. Not only must users present the right credentials, but they must also authenticate themselves using the appropriate hardware token.
Back in the land of securing Windows-based computers, meanwhile, and it is interesting to note that a second report from Australia’s DSD – Implementing the DSD’s Top Four for Windows environments (http://bit.ly/tfouuM ) – the conclusion is quite unequivocal:
“Minimising administrative privileges is an exercise in the principle of least privilege. In a properly designed, administered and maintained environment there is no requirement for any user to have administrative privileges on their day-to-day account. In addition there should be no account which has both administrative privileges and access to networks outside of the organisation, such as Internet or email services,” it says.
“When properly planned and executed, minimising administrative privileges can have significant flow on benefits to the stability and consistency of the computing environment, simplifying administration and support of that environment,” it adds.
Does this sound vaguely familiar? It should – it’s effectively a summary of the reasoning and principles surrounding the use of SCADA-based computer systems that run our critical infrastructures.
And whilst I’m clearly not advocating the use of the inflexible embedded operating system approach seen on SCADA-based platforms, I think there is considerable scope for the Australian DSD’s report recommendations to be deployed in UK corporate IT departments.
As well as reducing the risk profile of company IT systems, they would also greatly assist in the number of support calls need in a typical major corporate – which is something that will make the bean counters happy.
And that’s no bad thing when you think about it…