Following Russia’s attack on Ukraine, the Australian Cyber Security Centre (ACSC) has highlighted the importance of Australian organisations adopting an enhanced cyber security posture in response to the heightened threat in the current cyber environment. This includes both Australian Financial Services Licence (AFSL) and Australian Credit Licence (ACL) holders.
What does it mean for you?
Whilst ACSC does not provide technical standards or expert guidance on cybersecurity, it is expected that AFSL and ACL holders address cyber risks as part of their risk management strategies. This could include reviewing and enhancing a company’s detection, mitigation and response measures currently in place.
Identifying assets and performing risk assessments can identify the level of protection required from various cyber threats. For example, AFSL and ACL holders can undertake a penetration test to identify whether there are any loopholes and record any evidence which suggests whether there has been a lower cyber security posture or higher threat exposure than previously realised.
ACSC has provided a general list of mitigation strategies AFSL and ACL holders can implement as a baseline for demonstrating appropriate procedures to enhance cyber security. These mitigation strategies are a starting point and we suggest AFSL and ACL holders also reach out to independent cyber security consultants to assist in targeting various cyber threats applicable to their operations.
ACSC’s mitigation strategies include:
- application control – to prevent execution of unapproved or malicious programs;
- patch applications – applications such as Flash, web browsers, Microsoft Office should be the latest version;
- configure Microsoft Office macro settings – macros from the internet should be blocked and only allow vetted macros with limited write access;
- user application hardening – configuring web browsers to block Flash, ads and Java on the internet;
- restrict administrative privileges –based on user duties and should be revalidated on a regular basis;
- patch operating systems – use the latest operating system version and ensure no unsupported versions are utilised;
- multi-factor authentication and regular backups – for all users, including for remote access.
When implementing these mitigation strategies, AFSL and ACL holders should first identify a target maturity level that is suitable for their environment. The maturity levels are based on mitigating increasing levels of the tools, tactics, techniques and procedures used in cyber security threats.
Here is a brief overview of what each maturity level represents. Please click here to see a detailed explanation of maturity levels.
Maturity Level 0
Maturity Level 0 signifies that there are weaknesses in an organisation’s overall cyber security posture and widescale review and updates are needed.
Maturity Level 1
Adversaries would leverage tools, tactics, techniques and procedures that are widely and publicly available in order to gain access to, and likely control of, systems. Adversaries are looking for any victim, rather than a specific victim.
Maturity Level 2
Adversaries are likely to invest more time and be more selective in their targeting but still somewhat conservative in the time, money and effort they spend.
Common tactics would be actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.
Maturity Level 3
Adversaries are more adaptive and less reliant on public tools and techniques. Adversaries invest more time and money to exploit the weaknesses in the target’s cyber security posture, this includes to social engineer a user to bypass security controls and circumventing stronger multi-factor authentication by stealing authentication token values to impersonate a user.
Please click here to see what mitigation strategies can be implemented for each maturity level and comparison between the strategies for various maturity levels.
At a minimum, AFSL and ACL holders should also consider implementing cyber incident response plans to ensure an effective response and prompt recovery procedures are in place if mitigation strategies do not prevent a cyber incident from occurring. This plan should be tested rigorously and regularly reviewed, including by an external cyber security consultant.
Please click on the link to access the Cyber Incident Response Plan – Guidance & Template created by ACSC to assist in producing an incident response plan.
Where can you go for help?
It is important that licence holders consider the risks that cyber threats have upon the business and clients. The ACSC can provide assistance or advice as required. Organisations that have been impacted or require assistance can contact the ACSC via 1300 CYBER1 (1300 292 371).