diff --git a/.github/workflows/tlpclear-githubpages.yml b/.github/workflows/tlpclear-githubpages.yml index 44809277..42f54560 100644 --- a/.github/workflows/tlpclear-githubpages.yml +++ b/.github/workflows/tlpclear-githubpages.yml @@ -34,7 +34,7 @@ jobs: fetch-depth: 0 - uses: actions/setup-python@v4 with: - python-version: 3.x + python-version: 3.11 - name: install mkdocs run: pip install -r requirements.txt - name: build site diff --git a/.github/workflows/tlpclear-testing.yml b/.github/workflows/tlpclear-testing.yml index 5fa3035b..8fe61438 100644 --- a/.github/workflows/tlpclear-testing.yml +++ b/.github/workflows/tlpclear-testing.yml @@ -11,7 +11,7 @@ jobs: uses: actions/checkout@v3 - uses: actions/setup-python@v4 with: - python-version: 3.x + python-version: 3.11 - name: install mkdocs run: pip install -r requirements.txt - name: build site diff --git a/docs/README.md b/docs/README.md index 83215287..eae87df3 100644 --- a/docs/README.md +++ b/docs/README.md @@ -8,7 +8,6 @@ This site contains technical information to support WA Government Cyber Security - [Advisories (TLP:CLEAR)](advisories.md) - [Incident Reporting User Guide (Jira)](guidelines/incident-reporting.md) - [ACSC Essential Eight Assessment Process Guide](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide) -- [ACSC Strategies to Mitigate (including Further Five)](guidelines/further-five.md) ## Baselines & Guidelines diff --git a/docs/advisories/20231012003-Citrix-Releases-Security-Updates-for-Multiple-Products.md b/docs/advisories/20231012003-Citrix-Releases-Security-Updates-for-Multiple-Products.md index 22dd1c9f..7559b5f1 100644 --- a/docs/advisories/20231012003-Citrix-Releases-Security-Updates-for-Multiple-Products.md +++ b/docs/advisories/20231012003-Citrix-Releases-Security-Updates-for-Multiple-Products.md @@ -8,7 +8,7 @@ Citrix has released multiple updates to address critical vulnerabilities in ADC, Vulnerabilities in **NetScaler ADC and NetScaler Gateway**: -- [**CVE-2023-4966**](https://nvd.nist.gov/vuln/detail/CVE-2023-4966) - CVSS v3 Base Score: ***8.4*** - Denial of service +- [**CVE-2023-4966**](https://nvd.nist.gov/vuln/detail/CVE-2023-4966) - CVSS v3 Base Score: ***9.4*** - Denial of service - [**CVE-2023-4967**](https://nvd.nist.gov/vuln/detail/CVE-2023-4967) - CVSS v3 Base Score: ***8.2*** - Denial of service diff --git a/docs/advisories/20231023002-BIG-IP-Configuration-utility-vulnerability.md b/docs/advisories/20231023002-BIG-IP-Configuration-utility-vulnerability.md index 6b6468f3..bf278c3d 100644 --- a/docs/advisories/20231023002-BIG-IP-Configuration-utility-vulnerability.md +++ b/docs/advisories/20231023002-BIG-IP-Configuration-utility-vulnerability.md @@ -1,4 +1,4 @@ -# BIG-IP in Appliance Mode Configuration utility vulnerability - 20231023002 - 20231023002 +# BIG-IP in Appliance Mode Configuration utility vulnerability - 20231023002 ## Overview diff --git a/docs/advisories/20231023003-Juniper-Junos-OS-authentication-backdoor.md b/docs/advisories/20231023003-Juniper-Junos-OS-authentication-backdoor.md new file mode 100644 index 00000000..24fffff5 --- /dev/null +++ b/docs/advisories/20231023003-Juniper-Junos-OS-authentication-backdoor.md @@ -0,0 +1,29 @@ +# Juniper Junos OS authentication backdoor - 20231023003 + +## Overview + +An Incorrect Default Permissions vulnerability in Juniper Networks Junos OS allows an unauthenticated attacker with local access to the device to create a backdoor with root privileges. The issue is caused by improper directory permissions on a certain system directory, allowing an attacker with access to this directory to create a backdoor with root privileges. + +## What is the vulnerability? + +[**CVE-2023-44194**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44194) - CVSS v3 Base Score: ***8.4*** + +## What is vulnerable? + +This issue affects Juniper Networks Junos OS: + +- All versions prior to 20.4R3-S5; +- 21.1 versions prior to 21.1R3-S4; +- 21.2 versions prior to 21.2R3-S4; +- 21.3 versions prior to 21.3R3-S3; +- 21.4 versions prior to 21.4R3-S1. + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month* (refer [Patch Management](../guidelines/patch-management.md)): + +Review the following bulletin for further information: [Juniper Junos OS 2023-10 Security bulletin](https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-An-unauthenticated-attacker-with-local-access-to-the-device-can-create-a-backdoor-with-root-privileges-CVE-2023-44194?language=en_US) diff --git a/docs/advisories/20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md b/docs/advisories/20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md new file mode 100644 index 00000000..430dd53e --- /dev/null +++ b/docs/advisories/20231023005-SolarWinds-ARM-ThreeCriticalRCEVulnerabilities.md @@ -0,0 +1,66 @@ +# Three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product - 20231023005 + +## Overview + +SolarWinds has released an advisory for eight vulnerabilities, including three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges. + +## What is the vulnerability? + +**Three Critical Vulnerabilities:** + +[**CVE-2023-35182**](https://nvd.nist.gov/vuln/detail/CVE-2023-35182) - CVSS v3 Base Score: ***8.8*** + - Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to the deserialization of untrusted data in the ‘createGlobalServerChannelInternal’ method + + +[**CVE-2023-35185**](https://nvd.nist.gov/vuln/detail/CVE-2023-35185) - CVSS v3 Base Score: ***8.8*** +- Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to a lack of validation of user-supplied paths in the ‘OpenFile’ method + + +[**CVE-2023-35187**](https://nvd.nist.gov/vuln/detail/CVE-2023-35187) - CVSS v3 Base Score: ***8.8*** +- Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM without authentication due to lack of validation of user-supplied paths in the ‘OpenClientUpdateFile’ method + + +**Other Vulnerabilities:** + +[**CVE-2023-35180**](https://nvd.nist.gov/vuln/detail/CVE-2023-35180) - CVSS v3 Base Score: ***8.0*** + +- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API. + +[**CVE-2023-35181**](https://nvd.nist.gov/vuln/detail/CVE-2023-35181) - CVSS v3 Base Score: ***7.8*** + +- The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation. + +[**CVE-2023-35183**](https://nvd.nist.gov/vuln/detail/CVE-2023-35183) - CVSS v3 Base Score: ***7.8*** + +- The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation. + + +[**CVE-2023-35184**](https://nvd.nist.gov/vuln/detail/CVE-2023-35184) - CVSS v3 Base Score: ***8.8*** + +- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution. + +[**CVE-2023-35186**](https://nvd.nist.gov/vuln/detail/CVE-2023-35186) - CVSS v3 Base Score: ***8.0*** + +- The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. + + +## What is vulnerable? + +The vulnerability affects the following products: + +- Access Rights Manager 2023.2 + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [ARM 2023.2.1 Release Notes (solarwinds.com)](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm) + +## Additional References + +- [Critical RCE flaws found in SolarWinds access audit solution (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/security/critical-rce-flaws-found-in-solarwinds-access-audit-solution/) +- [ARM 2023.2.1 Release Notes (solarwinds.com)](https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm) diff --git a/docs/advisories/20231025001-Guidance-for-Cisco-IOS-XE-Web-UI-Vulnerabilities.md b/docs/advisories/20231025001-Guidance-for-Cisco-IOS-XE-Web-UI-Vulnerabilities.md new file mode 100644 index 00000000..aa189ef6 --- /dev/null +++ b/docs/advisories/20231025001-Guidance-for-Cisco-IOS-XE-Web-UI-Vulnerabilities.md @@ -0,0 +1,47 @@ +# Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities - 20231025001 + +## Overview + +Cisco has released guidance for addressing Cisco IOS XE Web UI Vulnerabilities, where an unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Exploiting these vulnerabilities allow actors to create privileged accounts that provides complete control over a device. + +## What is the vulnerability? + +[**CVE-2023-20198**](https://nvd.nist.gov/vuln/detail/CVE-2023-20198) - CVSS v3 Base Score: ***10.0*** + - Successfully exploiting this vulnerability allows a threat actor to gain initial access and execute privilege commands to create local user accounts and passwords. + +[**CVE-2023-20273**](https://nvd.nist.gov/vuln/detail/CVE-2023-20273) - CVSS v3 Base Score: ***7.2*** + - Allows an actor to leverage newly created local user account (from previous exploit) to elevate privilege to root and write implants to the file system. + +## What is vulnerable? + +The vulnerability affects the following products: + +- Cisco IOS XE Software if the web UI feature is enabled + + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + + +| **Cisco IOS XE Software Release Train** | **First Fixed Release** | **Available** | +|-----------------------------------------|-------------------------|---------------| +| 17.9 | 17.9.4a | Yes | +| 17.6 | 17.6.6a | TBD | +| 17.3 | 17.3.8a | TBD | +| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD | + +- [Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) + +Additional steps for mitigation or for determining if Cisco systems are vulnerable are listed in the [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z). + +## Additional References + +- [CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities | CISA](https://www.cisa.gov/news-events/alerts/2023/10/23/cisa-updates-guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities) +- [Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities | CISA](https://www.cisa.gov/guidance-addressing-cisco-ios-xe-web-ui-vulnerabilities) +- [Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities (talosintelligence.com)](https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/) +- [Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) + +#### Previous WASOC advisories related to Cisco IOS XE Vulnerabilities: + - [Cisco IOS and IOS XE HTTP WebUI](./20231018001-Cisco-IOS-XE-HTTP-WebUI.md) + - [Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability](./20231011004-Cisco-IOS-Software-Out-of-Bounds-Write-Vulnerability.md) \ No newline at end of file diff --git a/docs/advisories/20231026001-VMware-vCenter-Server-updates-address-out-of-bounds-write-and-information-disclosure-vulnerabilities.md b/docs/advisories/20231026001-VMware-vCenter-Server-updates-address-out-of-bounds-write-and-information-disclosure-vulnerabilities.md new file mode 100644 index 00000000..670fa4bf --- /dev/null +++ b/docs/advisories/20231026001-VMware-vCenter-Server-updates-address-out-of-bounds-write-and-information-disclosure-vulnerabilities.md @@ -0,0 +1,37 @@ +# VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities - 20231026001 + +## Overview + +VMware has released updates to address the VMware vCenter Server Out-of-Bounds Write and information disclosure vulnerabilities which would allow threat actors to perform remote code execution and access unauthorised data respectively. + +## What is the vulnerability? + +[**CVE-2023-34048**](https://nvd.nist.gov/vuln/detail/CVE-2023-34048) - CVSS v3 Base Score: ***9.8*** +- This vulnerability allows malicious actor(s) with network access to vCenter Server to perform remote code execution. + +[**CVE-2023-34056**](https://nvd.nist.gov/vuln/detail/CVE-2023-34056) - CVSS v3 Base Score: ***4.3*** +- A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data. + +## What is vulnerable? + +The vulnerability affects the following products: + +- VMware vCenter Server 8.0 +- VMware vCenter Server 7.0 +- VMware Cloud Foundation (VMware vCenter Server) 5.x, 4.x + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +| Product | Version | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation | +|-------------------------------------------------|----------|--------------------------------|----------|-----------|---------------|-------------|--------------------------| +| VMware vCenter Server | 8.0 | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [8.0U2](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | +| VMware vCenter Server | 8.0 | CVE-2023-34048 | 9.8 | Critical | [8.0U1d](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | +| VMware vCenter Server | 7.0 | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [7.0U3o](https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | +| VMware Cloud Foundation (VMware vCenter Server) | 5.x, 4.x | CVE-2023-34048, CVE-2023-34056 | 9.8, 4.3 | Critical | [KB88287](https://kb.vmware.com/s/article/88287) | None | [FAQ](https://via.vmw.com/vmsa-2023-0023-qna) | + +## Additional References + +- [VMSA-2023-0023 (vmware.com)](https://www.vmware.com/security/advisories/VMSA-2023-0023.html) +- [VMware Addresses Multiple Vulnerabilities in vCenter Server (CVE-2023-34048 & CVE-2023-34056) -- Qualys ThreatPROTECT](https://threatprotect.qualys.com/2023/10/25/vmware-addresses-multiple-vulnerabilities-in-vcenter-server-cve-2023-34048-cve-2023-34056/) diff --git a/docs/advisories/20231026002-Mozilla-Releases-Updates-Multiple-Products.md b/docs/advisories/20231026002-Mozilla-Releases-Updates-Multiple-Products.md new file mode 100644 index 00000000..e1a2960a --- /dev/null +++ b/docs/advisories/20231026002-Mozilla-Releases-Updates-Multiple-Products.md @@ -0,0 +1,24 @@ +# Mozilla Releases Security Advisories for Multiple Products - 20231026002 + +## Overview + +Mozilla has released security updates to address vulnerabilities in Firefox and Thunderbird. + +## What is vulnerable? + +The vulnerability affects the following products: + +- [Firefox for iOS 119](https://www.mozilla.org/en-US/security/advisories/mfsa2023-48/) +- [Thunderbird 115.4.1](https://www.mozilla.org/en-US/security/advisories/mfsa2023-47/) +- [Firefox ESR 115.4](https://www.mozilla.org/en-US/security/advisories/mfsa2023-46/) +- [Firefox 119](https://www.mozilla.org/en-US/security/advisories/mfsa2023-45/) + + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)) + diff --git a/docs/advisories/20231027001-Roundcube-Webmail-Persistent-Cross-Site-Scripting(XSS)-Vulnerability.md b/docs/advisories/20231027001-Roundcube-Webmail-Persistent-Cross-Site-Scripting(XSS)-Vulnerability.md new file mode 100644 index 00000000..ed99cd12 --- /dev/null +++ b/docs/advisories/20231027001-Roundcube-Webmail-Persistent-Cross-Site-Scripting(XSS)-Vulnerability.md @@ -0,0 +1,30 @@ +# Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability - 20231027001 + +## Overview + +The WA SOC has observed vulnerability in Roundcube (a web-based IMAP email client) allowing stored Cross Site Scripting (XSS) via an HTML e-mail message with a crafted Scalable Vector Graphics (SVG) document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. + +## What is the vulnerability? + +[**CVE-2023-5631**](https://nvd.nist.gov/vuln/detail/CVE-2023-5631) - CVSS v3 Base Score: ***5.4*** + +## What is vulnerable? + +The vulnerability affects the following Roundcube products: + +- Webmail versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *two weeks* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Roundcube Security Update 1.6.4](https://roundcube.net/news/2023/10/16/security-update-1.6.4-released) +- [Roundcuber Security Update 1.5.5 and 1.4.15](https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15) + +## Additional References + +- [CISA known Expoited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) diff --git a/docs/advisories/20231027003-BIG-IP-RCE.md b/docs/advisories/20231027003-BIG-IP-RCE.md new file mode 100644 index 00000000..585c437c --- /dev/null +++ b/docs/advisories/20231027003-BIG-IP-RCE.md @@ -0,0 +1,40 @@ +# BIG-IP Configuration utility unauthenticated RCE - 20231027003 + +## Overview + +An unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses may be able to execute arbitrary system commands due to an authentication bypass vulnerability. + +**F5 have updated their advisory to include indicators of compromise - Please see the Recommendation section for details.** + +## What is the vulnerability? + +[**CVE-2023-46747**](https://nvd.nist.gov/vuln/detail/CVE-2023-46747) - CVSS v3 Base Score: ***9.8*** + +## What is vulnerable? + +The vulnerability affects the following product from F5: + +- BIG-IP + - affected from 17.1.0 + - unaffected from Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso + - affected from 16.1.0 + - unaffected from Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso + - affected from 15.1.0 + - unaffected from Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.iso + - affected from 14.1.0 + -unaffected from Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.iso + - affected from 13.1.0 + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer [Patch Management](../guidelines/patch-management.md)): + +- [BIG-IP Configuration utility unauthenticated remote code execution vulnerability CVE-2023-46747](https://my.f5.com/manage/s/article/K000137353) + +Review your environment for **indicators of compromise**: + +- F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748. For indicators of compromise for CVE-2023-46748, please refer to [K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748](https://my.f5.com/manage/s/article/K000137365). diff --git a/docs/advisories/20231027004-Multiple-Vulnerabilities-in-Cisco-IOS-XE-Software-Web-UI-Feature.md b/docs/advisories/20231027004-Multiple-Vulnerabilities-in-Cisco-IOS-XE-Software-Web-UI-Feature.md new file mode 100644 index 00000000..b2192325 --- /dev/null +++ b/docs/advisories/20231027004-Multiple-Vulnerabilities-in-Cisco-IOS-XE-Software-Web-UI-Feature.md @@ -0,0 +1,54 @@ +# Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature - 20231027004 + +## Overview + +Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. + +## What is the vulnerability? + +[**CVE-2023-20198**](https://nvd.nist.gov/vuln/detail/CVE-2023-20198) - CVSS v3 Base Score: ***10.0*** + - Successfully exploiting this vulnerability allows a threat actor to gain initial access and execute privilege commands to create local user accounts and passwords. + +[**CVE-2023-20273**](https://nvd.nist.gov/vuln/detail/CVE-2023-20273) - CVSS v3 Base Score: ***7.2*** + - Allows an actor to leverage newly created local user account (from previous exploit) to elevate privilege to root and write implants to the file system. + +## What is vulnerable? + +The vulnerability affects the following products: + +- Cisco IOS XE Software with the web UI feature enabled. + +**Products Confirmed Not Vulnerable** +Cisco has confirmed that these vulnerabilities do not affect the following Cisco products: + +- Adaptive Security Appliance (ASA) Software +- Firepower Threat Defense (FTD) Software +- IOS Software +- IOS XE Software prior to Release 16 +- NX-OS Software + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +| **Cisco IOS XE Software Release Train** | **First Fixed Release** | **Available** | +|-----------------------------------------|-------------------------|---------------| +| 17.9 | 17.9.4a | Yes | +| 17.6 | 17.6.6a | TBD | +| 17.3 | 17.3.8a | TBD | +| 16.12 (Catalyst 3650 and 3850 only) | 16.12.10a | TBD | + +IOS XE Software Maintenance Upgrade (SMU): + +| **Cisco IOS XE Software Release Train** | **Base Release** | **SMU Available** | +|-----------------------------------------|------------------|-------------------| +| 17.9 | 17.9.4 | Yes | +| 17.6 | 17.6.5 | TBD | + +Cisco strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. + +***Note***: A list of IOC's (Indicators of Compromise) provided in [Cisco's advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) that can be used to determine if a system have been compromised. + +## Additional References + +- [Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) \ No newline at end of file diff --git a/docs/advisories/20231027005-Apple-Releases-Security-Advisories-for-Multiple-Products.md b/docs/advisories/20231027005-Apple-Releases-Security-Advisories-for-Multiple-Products.md new file mode 100644 index 00000000..84ed98a5 --- /dev/null +++ b/docs/advisories/20231027005-Apple-Releases-Security-Advisories-for-Multiple-Products.md @@ -0,0 +1,41 @@ +# Apple Releases Security Advisories for Multiple Products - 20231027005 + +## Overview + +Apple has released security updates to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected device. + + +## What is vulnerable? + +The vulnerability affects the following products: + +- iOS 17.1 and iPadOS 17.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213982) +- iOS 16.7.2 and iPadOS 16.7.2 - [Apple Security Updates](https://support.apple.com/en-us/HT213981) +- iOS 15.8 and iPadOS 15.8 - [Apple Security Updates](https://support.apple.com/en-us/HT213990) +- macOS Sonoma 14.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213984) +- macOS Ventura 13.6.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213985) +- macOS Monterey 12.7.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213983) +- tvOS 17.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213987) +- watchOS 10.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213988) +- Safari 17.1 - [Apple Security Updates](https://support.apple.com/en-us/HT213986) + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +| **Name and information link** | **Available for** | **Release date** | +|---|---|---| +| [iOS 17.1 and iPadOS 17.1](https://support.apple.com/kb/HT213982) | iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later | 25 Oct 2023 | +| [iOS 16.7.2 and iPadOS 16.7.2](https://support.apple.com/kb/HT213981) | iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later | 25 Oct 2023 | +| [iOS 15.8 and iPadOS 15.8](https://support.apple.com/kb/HT213990) | iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) | 25 Oct 2023 | +| [macOS Sonoma 14.1](https://support.apple.com/kb/HT213984) | macOS Sonoma | 25 Oct 2023 | +| [macOS Ventura 13.6.1](https://support.apple.com/kb/HT213985) | macOS Ventura | 25 Oct 2023 | +| [macOS Monterey 12.7.1](https://support.apple.com/kb/HT213983) | macOS Monterey | 25 Oct 2023 | +| [tvOS 17.1](https://support.apple.com/kb/HT213987) | Apple TV HD and Apple TV 4K (all models) | 25 Oct 2023 | +| [watchOS 10.1](https://support.apple.com/kb/HT213988) | Apple Watch Series 4 and later | 25 Oct 2023 | +| [Safari 17.1](https://support.apple.com/kb/HT213986) | macOS Monterey and macOS Ventura | 25 Oct 2023 | + + +## Additional References + +- [Apple Releases Security Advisories for Multiple Products | CISA](https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-advisories-multiple-products) diff --git a/docs/advisories/20231031001-VMware-Tools-Multiple-Vulnerabilities.md b/docs/advisories/20231031001-VMware-Tools-Multiple-Vulnerabilities.md new file mode 100644 index 00000000..619586f1 --- /dev/null +++ b/docs/advisories/20231031001-VMware-Tools-Multiple-Vulnerabilities.md @@ -0,0 +1,38 @@ +# VMware Tools Local Privilege Escalation and SAML Token Signature Bypass Vulnerabilities - 20231031001 + +## Overview + +The WA SOC has observed multiple vulnerabilities released in VMWare tools. + +VMware Tools contains a local privilege escalation vulnerability. A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine. + +VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted [Guest Operation Privileges](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html)  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more [privileged Guest Alias](https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html) + +## What is the vulnerability? + +[**CVE-2023-34057**](https://nvd.nist.gov/vuln/detail/CVE-2023-34057) - CVSS v3 Base Score: ***7.8*** + +[**CVE-2023-34058**](https://nvd.nist.gov/vuln/detail/CVE-2023-34058) - CVSS v3 Base Score: ***7.5*** + +## What is vulnerable? + +The vulnerability affects the following VMWare tools versions: + +- before 12.1.1 (running on macOS) +- before 12.3.5 (running on Windows) + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *two weeks* (refer [Patch Management](../guidelines/patch-management.md)): + +- [VMWare tools release notes for Windows](https://docs.vmware.com/en/VMware-Tools/12.3/rn/vmware-tools-1235-release-notes/index.html) + +## Additional References + +- [VMWare Security Advisory](https://www.vmware.com/security/advisories/VMSA-2023-0024.html) + + diff --git a/docs/advisories/20231101001-BIG-IP-SQLI.md b/docs/advisories/20231101001-BIG-IP-SQLI.md new file mode 100644 index 00000000..fb3cfcfc --- /dev/null +++ b/docs/advisories/20231101001-BIG-IP-SQLI.md @@ -0,0 +1,59 @@ +# BIG-IP Configuration utility authenticated SQL injection - 20231101001 + +## Overview + +An authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses may be able to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only. + +F5 has observed threat actors using this vulnerability in combination with CVE-2023-46747. + +**F5 have updated their advisory to include indicators of compromise - Please see the Recommendation section for details.** + +## What is the vulnerability? + +[**CVE-2023-46748**](https://nvd.nist.gov/vuln/detail/CVE-2023-46748) - CVSS v3 Base Score: ***8.8*** + +## What is vulnerable? + +The vulnerability affects the following product from F5: + +- BIG-IP + - affected from 17.1.0 + - unaffected from Hotfix-BIGIP-17.1.0.3.0.75.4-ENG.iso + - affected from 16.1.0 + - unaffected from Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.iso + - affected from 15.1.0 + - unaffected from Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.iso + - affected from 14.1.0 + - unaffected from Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.iso + - affected from 13.1.0 + - 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG.iso + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 2 weeks (refer [Patch Management](../guidelines/patch-management.md)): + +- [BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748](https://my.f5.com/manage/s/article/K000137365) + +Review your environment for **indicators of compromise**: + +F5 has observed threat actors using this vulnerability in combination with CVE-2023-46747. Below are the indicators of compromise observed with CVE-2023-46748. + +You may see entries in the /var/log/tomcat/catalina.out file similar to the following example: + +``` +{...} +java.sql.SQLException: Column not found: 0. +{...) +sh: no job control in this shell +sh-4.2$ +sh-4.2$ exit. +``` + +In the previous example, note the following: + +In the line of Column not found: 0, the 0 can be replaced with a different number. +In the line of , the command will be replaced with a different command. diff --git a/docs/advisories/20231101002-Improper-Authorization-Vulnerability-In-Confluence-Data-Center-and-Server.md b/docs/advisories/20231101002-Improper-Authorization-Vulnerability-In-Confluence-Data-Center-and-Server.md new file mode 100644 index 00000000..60145e83 --- /dev/null +++ b/docs/advisories/20231101002-Improper-Authorization-Vulnerability-In-Confluence-Data-Center-and-Server.md @@ -0,0 +1,41 @@ +# Improper Authorization Vulnerability In Confluence Data Center and Server - 20231101002 + +## Overview + +Atlassian has announced a vulnerability in Confluence Data Center and Server solutions. + +All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. There is no impact to confidentiality as an attacker cannot exfiltrate any instance data. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue. + +## What is the vulnerability? + +[**CVE-2023-22518**](https://nvd.nist.gov/vuln/detail/CVE-2023-22518) - CVSS v3 Base Score: ***9.1*** - Improper Authorization + +## What is vulnerable? + +The vulnerability affects the following products: + +- All versions of Confluence Data Center and Confluence Server + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Atlassian recommends that you upgrade your instance to one of the versions listed in the "Fixed Versions" table section. For full descriptions of the above versions of Confluence Data Center and Server, see the [release notes](https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the [download center](https://www.atlassian.com/software/confluence/download-archives). + +| **Product** | **Fixed Versions** | +|:-----------------:|:----------------------:| +| Confluence Data Center
Confluence Server | 7.19.16 or later
8.3.4 or later
8.4.4 or later
8.5.3 or later
8.6.1 or later | + +Additional ***Mitigations*** are listed in the Atlassian's Jira ticket for the vulnerability found [here](https://jira.atlassian.com/browse/CONFSERVER-93142). + +## Additional References + +- [NVD - CVE-2023-22518 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2023-22518) + +- [[CONFSERVER-93142] Improper Authorization in Confluence Data Center and Server - CVE-2023-22518 - Create and track feature requests for Atlassian products.](https://jira.atlassian.com/browse/CONFSERVER-93142) + +- [CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support | Atlassian Documentation](https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html) diff --git a/docs/advisories/20231102001-Apache-Active-MQ-Unauthenticated-RCE.md b/docs/advisories/20231102001-Apache-Active-MQ-Unauthenticated-RCE.md new file mode 100644 index 00000000..3570de4e --- /dev/null +++ b/docs/advisories/20231102001-Apache-Active-MQ-Unauthenticated-RCE.md @@ -0,0 +1,43 @@ +# Apache ActiveMQ Unauthenticated RCE via Deserialization - 20231102001 + +## Overview + +Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Rapid7 [Managed Detection and Response Team](https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/) has observed activity exploitation of this vulernability. + +## What is the vulnerability? + +[**CVE-2023-46604**](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) - CVSS v3 Base Score: ***10.0*** - Remote Code Execution + +## What is vulnerable? + +The vulnerability affects the following products: + +- Affected versions: + + - Apache ActiveMQ 5.18.0 before 5.18.3 + - Apache ActiveMQ 5.17.0 before 5.17.6 + - Apache ActiveMQ 5.16.0 before 5.16.7 + - Apache ActiveMQ before 5.15.16 + - Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3 + - Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6 + - Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7 + - Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16 + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +Apache recommended to upgrade to version **5.15.16, 5.16.7, 5.17.6, or 5.18.3**, which fixes this issue. + + +## Additional References + +- [NVD - CVE-2023-46604 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2023-46604) + +- [Apache Security Bulletin](https://activemq.apache.org/security-advisories.data/CVE-2023-46604) + +- [Apache Issue Tracker](https://issues.apache.org/jira/browse/AMQ-9370) diff --git a/docs/guidelines/annual-implementation-reporting.md b/docs/guidelines/annual-implementation-reporting.md new file mode 100644 index 00000000..d3fe07a0 --- /dev/null +++ b/docs/guidelines/annual-implementation-reporting.md @@ -0,0 +1,123 @@ +# Annual Implementation Report + +This page has been designed to accompany the 2023 WA Cyber Security Policy Annual Implementation Report Template and provides additional guidance for assessors when answering questions in the provided template. + +## Cyber Security Policy + +This section provides guidance for the sheet **2. Cyber Security Policy** + +### Lead + +| ID | No | Yes | +|---|---|---| +| 1.1 | The entity does not list roles and responsibilities of the Accountable Authority within the organisation's Cyber/Information Security Policy | The entity defines roles and responsibilities of the Accountable Authority within the organisation's Cyber/Information Security Policy in line with the requirements of the WA Cyber Security Policy | + +### Identify + +| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring | +|---|---|---|---|---| +| 2.1.1A | The entity does not track or maintain a list of physical devices and systems. | The entity has incomplete list of inventory and is in the process of completing its inventory list. | The entity has established inventory but not maintained | The entity maintains physical device and system inventory and manages this during their lifecycle. | +| 2.1.1B | The entity does not track or maintain a list of software and applications use to service business. | The entity has incomplete list of inventory or is in the process of completing its inventory list. | The entity has established inventory but not maintained. | The entity maintains a software platforms and applications inventory and manages this during their lifecycle. | +| 2.1.1C | The entity does not track or maintain a list of External information systems | The entity has incomplete list of inventory or is in the process of completing its inventory list. | The entity has established inventory but not maintained as agreed within service level agreement. | The entity maintains a list of External information systems and manages these through service level agreement during their lifecycle. | +| 2.1.1D | The entity does not track or maintain a list of critical functions and system dependencies. | The entity has incomplete list of critical functions and system dependencies, and is in the process of completing its inventory list. | The entity has list of critical functions and system dependencies but not regularly maintained. | The entity maintained list of critical functions and system dependencies | +| 2.1.1E | Organisation understood legal and regulatory requirements but do not have roadmap to achieve compliance. | Legal and regulatory requirements are understood, and implementation program to achieve compliance is in progress. | Legal and regulatory requirements are understood and implemented. | Legal and regulatory requirements are understood, implemented and compliance are maintained. | +| 2.1.1F | The entity does not track or maintain a list of information systems, components and services provided by suppliers or third-parties. | The entity has an incomplete list of information systems, components and services provided by suppliers and third-parties. | The entity has a list of information systems, components and services provided by suppliers and third-parties. | The entity maintains a list of Information systems, components and services maintained by suppliers and third-parties , and actively manages the lifecycle of these systems. | +| 2.3.1 | The entity has not developed a cyber security risk management strategy or has an ad-hoc approach to reducing cyber security risk within their organisation. | The entity is in the process of developing a cyber security risk management strategy or roadmap to reducing cyber security risk within their organisation. | The entity has developed a cyber cyber risk strategy, established a risk management program. | The entity has approved a cyber risk strategy updated in the last year, has established a risk management program, and tracks progress using a treatment action plan. | + +### Protect + +| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring | +|---|---|---|---|---| +| 3.3.5 | The entity does not have any mechanism in place for the public to report vulnerabilities. | The entity is currently developing a reporting mechanism for public to report vulnerabilities. | The entity has published mechanism for the public to report vulnerabilities, however does not respond or action vulnerabilities in a timely manner. | The entity has a established reporting mechanism is in place and and action is taken in timely manners to remediate vulnerabilities.

For example [www.wa.gov.au Vulnerability Disclosure Policy](https://www.wa.gov.au/government/publications/vulnerability-disclosure-policy) or security.txt based on [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116) | +| 3.5.1 | The entity does not perform Training and Awareness for cyber security or information security for staff. | The entity provides ad-hoc Training and Awareness for cyber security for staff.

The entity does not provide targeted or specialised education for users with privileged access or positions of authority/trust. | The entity provides regular Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour.

The entity provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust. | The entity provides structured Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour and measuring improvement.

The entity provides regular targeted or specialised education for users with privileged access or positions of authority/trust. | +| 3.6.1 | The entity does not consider the security risks for staff travelling with devices overseas. | The entity understand the risk and currently in process of implementing technical and governance measures for staff travelling with devices overseas. The entity may have ad-hoc processes for device management when staff travel overseas. | The entity has effective cybersecurity measures, encompassing both technical and governance aspects, without active monitoring. The entity has processes for device management when staff travel overseas. | The entity has effective cybersecurity measures, encompassing both technical and governance aspects, and maintains active monitoring. The entity has processes for devices management such a provisioning temporary "burner" devices and have processes to reduce risk for devices returning from overseas. | +| 3.6.2 | The entity does not consider the security risks for staff travelling overseas. | The entity understands the risk and currently in process of implementing technical and governance measures. | The entity has effective cybersecurity measures, encompassing both technical and governance aspects, without active monitoring. | The entity has effective cybersecurity measures, encompassing both technical and governance aspects, and maintains active monitoring. | +| 3.7.1 | The entity does not define risk management processes or clauses for third party within procurement contract. | The entity is currently developing risk management processes for third party vendors. | The entity incorporated cyber security requirements for third-party vendors within procurement contract, without progress are being tracked through service level agreement. | The entity incorporates cyber security requirements for third party vendors within procurement contract and progress are tracked through service level agreement. | +| 3.7.5 | The entity does not review where data is stored when procuring systems. | The entity is developing formal position. | The entity has approved position to satisfy this task and assurance are not tracked | The entity has approved position that is aligned to [WA Government Data Offshoring Position](https://www.wa.gov.au/government/publications/western-australian-government-data-offshoring-position-and-guidance-0) and monitors existing contracts/suppliers to ensure that data and information systems are aligned with the entity's approved position. | +| 3.8.1 | The entity lacks processes for securing physical assets and does not track or manage access to them. | The entity tracks some assets are and efforts are underway to expand control management to the remaining areas. | The entity mostly manages access to assets however there may be areas where the management is not fully consistent. | The entity manages physical access to assets and is tracked and audited on a regular basis. | +| 3.9.1 | The entity does not securely dispose digital media. | The entity is developing disposal processes requirements or assessing vendors that could be partnered with to manage disposal of digital media. | The entity has a secure disposal process, such as media sanitisation or media destruction techniques, but does not ensure vendor compliance with certificates. | The entity has a secure disposal process, such as media sanitisation or media destruction techniques, ensuring vendor compliance with certificates. | + +### Detect + +| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring | +|---|---|---|---|---| +| 4.1.1 | The entity does not capture network events from workstations. | The entity captures network events for some endpoints and is working on expanding the collection of these events to cover all workstations. | The entity captures network events from most workstation within SIEM.

The entity is developing processes to monitor and analyse network events to identify suspected cyber security incidents. | The entity captures network events are from workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents. | +| 4.1.2 | The entity does not capture Command line processes from workstations. | The entity captures command line process from workstations and is working on expanding the collection of these event to cover all workstations. | The entity captures command line process from most workstation within SIEM.

The entity is developing processes to monitor and analyse command line processes to identify suspected cyber security incidents. | The entity captures command line processes from workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents. | +| 4.1.3 | The entity does not capture email events and URLS visited by workstations. | The entity partially captures email events or URLS visited by workstations. | The entity captures email events and URLS visited by workstations within SIEM.

The entity is developing processes to monitor and analyse email events and URLS visited by workstations. | The entity captures email events and URLS visited by workstations within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents. | +| 4.1.4 | The entity does not capture identity events (logons and group/role changes). | The entity partially captures identity events across ICT infrastructure. | The entity captures identity events across most ICT infrastructure (on-premises and cloud) within SIEM.

The entity is developing processes to monitor and analyse identity events. | The entity captures identity across ICT infrastructure (on-premises and cloud) within SIEM.

The entity actively monitors and analyses these to identify suspected cyber security incidents. | +| 4.3.1 | The entity does not have a Security Information and Event Management (SIEM) solution. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has low levels of visibility, low coverage of assets (sources) or logs may be distributed in other security solutions not captured by the SIEM.

SIEM Logs are stored for only 12 months.

The entity has started testing Incident response plan, processes and technical capabilities. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has good of visibility, high coverage of assets (sources) or logs may be distributed in other security security solutions not captured by the SIEM.

Logs are stored for only 12 months.

Incident response plan, processes and technical capabilities are not regularly tested. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has excellent visibility, high coverage of assets (sources) and logs from other security security solutions are captured by the SIEM.

Logs are stored for at least 18 months retention period or to meet regulatory requirements. | +| 4.5.1 | The entity does not respond to security alerts. | The entity is developing capabilities to respond to security alerts or is ad-hoc in their approach to responding to security alerts. | The entity has capabilities to respond to security alerts and has developed repeatable processes for security operations staff to respond to security alerts. | The entity has robust capabilities to respond and triage security alerts in a timely manner. | + +### Respond + +| ID | Not Started | Implementation in Progress | Implemented with Issues | Implemented and Monitoring | +|---|---|---|---|---| +| 5.1.1 | The entity does not have an Incident Response Plan. | The entity has developed an Incident Response Plan.

The entity has not tested the Incident Response Plan for greater than one year. | The entity has developed an Incident Response Plan.

The entity has tested the Incident resposne plan within the past year. | The entity has developed robust Incident Response Plans that may include "playbooks" for common cyber threats. The plans are updated on an annual basis or when significant changes to ICT systems occur.

The entity has tested the Incident Response Plan within the past year. Test results or lessons learnt from enacting plans are captured and used to improve existing plans. | + +## ACSC Strategies + +This section provides guidance for the sheet **5. Strategies to Mitigate**. + +The [ACSC strategies to Mitigate Cyber Security Incidents](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents) are ranked in effectiveness of implementation based on the following terms. A maturity assessment tool for each strategy has been provided below with general guidance to enable assessors to determine the agency's implementation of the strategy. + +| Option | Description | +|:---|---| +| **1. Not Applicable** | | +| **2. Not started** | | +| **3. In Progress** | | +| **4. Implemented with Issues** | | +| **5. Implemented and Monitoring** | | + +### Prevent Malware Delivery and Execution + +| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance | +|:---:| --- | --- | --- | --- | --- |:---:| +| **5** | **Automated dynamic analysis of email and web content run in a sandbox** | The entity has not deployed sandbox analysis of inbound email or web content. | The entity has deployed a sandbox analysis solution for inbound email and/or web content that is not fully functional or in audit/passive only mode. | The entity has deployed a sandbox analysis solution for inbound email and/or web content but it uses untuned rule-sets, excessive bypass lists or does not receive timely vendor intelligence definitions. | The Entity has deployed a sandbox analysis solution for inbound email and web content. The solution has finely tuned rule-sets, minimal bypass lists, receives regular vendor intelligence definitions. | [link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Automated%20dynamic%20analysis,machine%20or%20honeypot.) | +| **6** | **Email content filtering** | The entity does not perform content filtering of inbound email. | The entity has deployed an email content filtering solution is present that is not finely tuned or left as system defaults for inspection of email content types including file attachments, hyperlinks or is configured in audit/passive mode only. | The Entity has deployed an email content filtering solution and has fine tuned configuration for inspection of email content types, however rulesets are overly permissive.

Content which cannot be scanned is not blocked. | The entity has deployed an email content filtering solution that has fine tuned and robust rulesets configured capturing all inbound mail and the inspection of hyperlinks and attachments. Filtering solution receives regular vendor intelligence definitions.

Content that cannot be scanned is blocked/quarantined.

Inbound mail is blocked if the external sender address is the same as the internal domain. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=machine%20or%20honeypot.-,Email%20content%20filtering,mitigation%20strategies%20is%20available%20in%20the%20Malicious%20Email%20Mitigation%20Strategies%20publication.,-Web%20content%20filtering) | +| **7** | **Web content filtering** | The entity does not perform filtering of web content. | The entity deploys web content filtering is available but not all traffic is subject to filtering or rules are overly submissive. HTTPS traffic is not filtered. | The entity deploys web content filtering for most for HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. | The entity deploys web content filtering for all HTTP and HTTPs traffic. Filtering rules restrict access to uncategorised, web advertisement, anonymity services, free and anonymous domains used by adversaries. Access to websites via IP address is blocked. Filtering rules restrict access to malicious executables, Flash/ActiveX/Java content and Microsoft Office files containing macros. Vendor intelligence definitions are updated regularly. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Mitigation%20Strategies%20publication.-,Web%20content%20filtering,but%20temporarily%20compromised%20websites%20and%20a%20range%20of%20other%20web%20infrastructure.,-Deny%20corporate%20computers) | +| **8** | **Deny corporate computers direct internet connectivity** | The entity's perimeter firewall is configured to allow corporate computers direct internet access. | The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols including HTTP and HTTPS. | The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols.

Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via a proxy. | The entity's perimeter firewall is configured to only allow corporate computers outbound access to approved ports and protocols.

Corporate Computers outbound internet traffic for HTTP and HTTPS is routed via an authenticated proxy.

Servers are restricted from browsing the internet and accessing email services." | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=other%20web%20infrastructure.-,Deny%20corporate%20computers%20direct%20internet%20connectivity,internet%2Daccessible%20websites%20need%20to%20be%20authenticated%20by%20a%20web%20proxy.,-Operating%20system%20generic) | +| **9** | **Operating system generic exploit mitigation** | The entity deploys operating systems with default exploit mitigation settings enabled.

The entity has Windows 32-bit operating systems present. | The entity deploys operating systems with default exploit mitigation settings enabled.

The entity only has Windows 64-bit operating systems present. | The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured on some machines.

The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux). | The entity deploys operating systems with Data Execution Prevention, Address Space Layout Randomisation or Enhanced Mitigation Experience Toolkit rules configured all machines.

The entity only has Windows 64-bit operating systems present. Linux operating systems are deployed with Security-Enhanced Linux (SELinux). | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Operating%20system%20generic,party%20software.) | +| **10** | **Server application hardening** | The entity has not assessed or applied Server Application Hardening controls. Default installations may provide insecure configurations that expose server applications to cyber threats. | The entity has commenced applying Server application techniques, such as ASD Hardening for Server Applications and prioritises configurations to internet facing systems. | The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been prioritised for internet facing systems.

The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design. |The entity has applied Server application techniques, such as ASD Hardening for Server Applications, data and applications that access important data. Hardening has been applied internet facing systems and non-internet facing systems.

The entity has chosen Server Applications from vendors that have demonstrated a commitment to secure-by-design and secure-by default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products. OWASP provides principles for Web Applications that mitigate common design. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Server%20application%20hardening,Management%20Systems%20publication.) | +| **11** | **Operating system hardening** | The entity has not assessed or applied Operating System Hardening controls. Default installations may provide insecure configurations that expose Operating Systems to cyber threats. | The entity has commenced applying Operating System hardening controls.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has started disabling unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. | The entity has applied Operating System hardening controls to most workstations using a managed Standard Operating Environment (SOE).

The entity has commenced applying Operating System hardening controls to servers.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. | The entity has applied Operating System hardening controls to workstations and servers using a managed Standard Operating Environment (SOE) and monitors for drifts in configuration.

File and registry key permissions are hardened and Windows Task Scheduler, DLL search path algorithm and file extension are configured to prevent only users to execute malicious program.

The entity has disabled unneeded functionalities such as Server Message Block (SMB), Link-Local Multicast Name Resolution (LLMNR) , Web Proxy Auto-Discovery (WPAD) , RDP and AutoRun. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Operating%20system%20hardening,the%20reserved%20range.) | +| **12** | **Antivirus software using heuristics and reputation ratings** | The entity does not install antivirus software to computers or gateways. | The entity has installed antivirus software to some computers that checks file's prevalence or digital signature before execution. | The entity has installed antivirus software on most computers that is configured check a file's prevalence and digital signature before execution.

The entity has installed antivirus software on gateways that check a file's prevalence and digital signature before execution. | The entity has installed antivirus software on all computers that is configured check a file's prevalence and digital signature before execution.

The entity has installed antivirus software on gateway (from a different vendor than computers) that check a file's prevalence and digital signature before execution. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Antivirus%20software%20using,reputation%20rating%20functionality.) | +| **13** | **Control removable storage media and connected devices** | The entity does not control removable storage media and connected devices | The entity has a robust policy and process is in place for storage media and file transfer.

The entity has commenced configuration of controls to restrict access to unapproved storage media and connected devices. | The entity has a robust policy and process is in place for storage media and file transfer.

The entity has configuration of controls to restrict access to unapproved storage media and connected devices on most computers. | The entity has a robust policy and process is in place for storage media and file transfer.

The entity has configuration of controls to restrict access to unapproved storage media and connected devices on all computers.| [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Control%20removable%20storage,external%20device%20connectivity.) | +| **14** | **Block spoofed emails** | The entity does not deploy Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) OR Domain-based Message Authentication, Reporting, and Conformance (DMARC) for domains owned by the agency. | The entity has implemented SPF.

The entity has not commenced configuration DKIM or DMARC. | The entity has implemented SPF.

The entity has commenced DKIM configuration against owned domains.

The entity has commenced DMARC configuration and has policy set to “none” or “quarantine”. | The entity has implemented SPF with hardfail.

The entity has implemented DKIM across email infrastructure.

The Entity has implemented DMARC with policy set to reject. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=external%20device%20connectivity.-,Block%20spoofed%20emails,strategies%20is%20available%20in%20the%20How%20to%20Combat%20Fake%20Emails%20publication.,-User%20education) | +| **15** | **User education** | The entity does not perform Training and Awareness for cyber security or information security for staff. | The entity provides ad-hoc Training and Awareness for cyber security for staff.

The entity does not provide targeted or specialised education for users with privileged access or positions of authority/trust. | The entity provides regular Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour.

The entity provides ad-hoc targeted or specialised education for users with privileged access or positions of authority/trust. | The entity provides structured Training and Awareness for cyber security for staff/users that focuses on influencing user behaviour and measuring improvement.

The entity provides regular targeted or specialised education for users with privileged access or positions of authority/trust. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=User%20education,Engineered%20Messages%20publication.) | +| **16** | **Antivirus software with up-to-date signatures** | The entity does not install antivirus software to computers or gateways. | The entity has signature based antivirus software from reputable vendor installed on some computers or has commenced the deployment on gateways. | The entity has signature based antivirus software from reputable vendor installed on most computers or has commenced the deployment on gateways.

Antivirus software definitions update automatically.

Antivirus software is configured to scan files upon opening or scanned on a regular basis. | The entity has signature based antivirus software from reputable vendor is deployed to all computers and gateways to detect more sophisticated malware.

Antivirus software definitions update automatically and regularly.

Antivirus software is configured to scan files upon opening and scanned on a regular basis. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Antivirus%20software%20with,a%20scheduled%20basis.) | +| **17** | **TLS encryption between email servers** | The entity does not enable Transport Layer Security (TLS) on email servers. | The entity has commenced configuration of Transport Layer Security (TLS) on email servers for inbound or outbound email communication. | The entity has configured Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering. | The entity has enforced Transport Layer Security (TLS) for both inbound and outbound email communication to prevent legitimate emails being intercepted and subsequently leveraged for social engineering.

The entity configures content scanning after email traffic is decrypted as part of ""Email content Filtering"" strategy. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=a%20scheduled%20basis.-,TLS%20encryption%20between%20email%20servers,Perform%20content%20scanning%20after%20email%20traffic%20is%20decrypted.,-Mitigation%20strategies%20to) | + +### Limit the Extent of Cyber Security Incidents + +| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance | +|:---:| --- | --- | --- | --- | --- |:---:| +| **21** | **Disable local administrator account** | The entity does not disable local administrator accounts or set unique credentials for each computer. | The entity has commenced to disable local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials. | The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers.

Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory. | The entity has disabled local administrator accounts or managed credentials with a solution such as Windows Local Administrator Password Solution (LAPS) to prevent lateral movement using administrator credentials for most computers.

Credentials for local administrator accounts are created uniquely and stored within Active Directory or Azure Active Directory.

Windows LAPS is used to automatically managed Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Disable%20local%20administrator,available%20from%20Microsoft.) | +| **22** | **Network segmentation** | The entity does not perform network segmentation (i.e. flat network). | The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT).

The entity has not commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure. | The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties.

The entity has commenced implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure. | The entity has deployed network controls such as Virtual LANs, firewalls and access control lists that constrains devices with low assurance (e.g. BYOD and IoT), and limited user access to network drives and data repositories based on user duties.

The entity has implementation of Jump boxes, Software based firewall and IPsec for servers and cloud computing infrastructure.

The entity has deployed micro-segmentation or denied traffic between computers unless required. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Network%20segmentation,Own%20Device%20publications.) | +| **23** | **Protect authentication credentials** | The entity has not assessed their environment to protect authentication credentials. | The entity has enforced strong password policies.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases. | The entity has enforced strong password policies and uses solutions to prevent weak passwords.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases and uses Password Vaults to securely store credentials.

The entity may have enabled Credential Guard on Windows 10 or later workstations. | The entity has enforced strong password policies and uses solutions to prevent weak passwords.

The entity has disabled Wdigests (Setting UserLoginCredential to 0), Removed CPasswords (Group Policy Preference XML) and disabled Link-Local Multicast Name Resolution (LLMNR) to prevent password exposure over insecure channels.

The entity changes default passphrases and uses Password Vaults to securely store credentials.

The entity has enabled Credential Guard on Windows 10/Server 2016 or later. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Protect%20authentication%20credentials,credentials%20is%20available%20from%20Microsoft.) | +| **24** | **Non-persistent virtualised sandboxed environment** | The entity does not use non-persistent virtualised sandboxed environments. | The entity only uses non-persistent virtualised environment is used to deny access to sensitive data for some risky activities.

Examples include Microsoft Application Guard (e.g. MS Office/MS Edge). | The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for most risky activities.

Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles. | The entity performs approaches of inbuilt sandbox and non-persistent virtualised environment are used with issues to deny access to sensitive data for all risky activities.

Examples include Microsoft Application Guard or Virtual Desktop Infrastructure with non-persistent profiles. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Non%2Dpersistent%20virtualised,and%20Segregation%20publication.) | +| **25** | **Software-based application firewall, blocking incoming network traffic** | The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent incoming network connections. | The entity has commenced configuration of software-based application firewall for incoming network traffic. | The entity has configured software-based application firewall with limited rule set to block malicious and unintended incoming network traffic. | The entity has configured software-based application firewall to block malicious and unintended incoming network traffic. Rules are configured to provide maximum protect to network services and prevent unneeded/unauthorised traffic (following least privilege access principles) | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Software%2Dbased%20application%20firewall%2C%20blocking%20incoming,includes%20software%2Dbased%20application%20firewall%20functionality.) | +| **26** | **Software-based application firewall, blocking outgoing network traffic** | The entity has disabled or does not configure Software-based application firewalls (e.g. Windows Firewall) to prevent outgoing network connections. | The entity has commenced configuration of software-based application firewall for outgoing network traffic. | The entity has configured software-based application firewall with limited rule set to block malicious and unintended outgoing network traffic. | The entity has configured software-based application firewall to block malicious and unintended outgoing network traffic. Rules are configured to provide the minimum levels of network activity designed for the user or system (following least privilege access principles). | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Software%2Dbased%20application%20firewall%2C%20blocking%20outgoing,includes%20software%2Dbased%20application%20firewall%20functionality.) | +| **27** | **Outbound web and email data loss prevention** |The entity does not deploy Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data. | The entity has commenced considering applying Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data.

Sensitive Data may be identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Some prevention controls may limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail. | The entity has configured Data Loss Prevention solutions to identify or prevent exfiltration of sensitive organisational data.

Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail.

Outgoing email with sensitive data patterns, size and frequency are logged and reported. | The entity has configured Data Loss Prevention solutions to identify and prevent exfiltration of sensitive organisational data.

Sensitive Data is identified and labelled with Data Classification Sensitivity labels, or via sensitive data patterns/keywords.

Prevention controls limit exfiltration of sensitive data by logging or blocking access to unapproved cloud computing services including personal webmail.

Outgoing email with sensitive data patterns, size and frequency are logged and reported. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Outbound%20web%20and,as%20regular%20expressions.) | + +### Detect Cyber Security Incidents and Respond + +| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance | +|:---:| --- | --- | --- | --- | --- |:---:| +| **28** | **Continuous incident detection and response** | Entity does not have a Security Information and Event Management (SIEM) solution. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has low levels of visibility, low coverage of assets (sources) or logs may be distributed in other security solutions not captured by the SIEM.

SIEM Logs are stored for only 12 months.

The entity has started testing Incident response plan, processes and technical capabilities. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has good of visibility, high coverage of assets (sources) or logs may be distributed in other security security solutions not captured by the SIEM.

Logs are stored for only 12 months.

Incident response plan, processes and technical capabilities are not regularly tested. | Entity has a Security Information and Event Management (SIEM) solution to perform real-time automated aggregation and correlation of logs from multiple sources to identify patterns of suspicious behaviour is in place.

SIEM has excellent visibility, high coverage of assets (sources) and logs from other security security solutions are captured by the SIEM.

Logs are stored for at least 18 months retention period or to meet regulatory requirements

Incident response plan, processes and technical capabilities are regularly tested. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=incidents%20and%20respond-,Continuous%20incident%20detection%20and%20response,preparation%20for%20adversaries%20attempting%20to%20regain%20access%20to%20the%20organisation%E2%80%99s%20computers.,-Host%2Dbased%20intrusion) | +| **29** | **Host-based intrusion detection/prevention system** | The entity does not have a Host-based intrusion detection/prevention system (HIDS/HIPS). | The entity has commenced configuring Host-based intrusion detection/prevention system (HIDS/HIPS).

The system may be able to identify anomalous behaviour during program execution, but may not be configured to block it. | The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour.

HIDS/HIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams. | The entity has configured Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour.

HIDS/HIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Host%2Dbased%20intrusion,HIDS/HIPS%20functionality.) | +| **30** | **Endpoint detection and response software** | The entity does not use Endpoint Detection and Response (EDR) software. | The entity has commenced deployment of Endpoint detection and response (EDR) software to capture system behaviour logs and other telemetry metadata. | The entity has deployed Endpoint detection and response (EDR) software to most computers to capture system behaviour logs and other telemetry metadata.

EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives. | The entity has deployed Endpoint detection and response (EDR) software to all computers to capture system behaviour logs and other telemetry metadata.

EDR software generates enough useful data to enable cyber security incidents to be identified, without causing too many false positives.

EDR enables investigation and response activities such as rapidly analysing multiple computers seamlessly, blocking specific network communication attempts and isolating a compromised computer from the network. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Endpoint%20detection%20and,application%20sandboxing/containerisation.) | +| **31** | **Hunt to discover incidents** | The entity does not have the capability or an approach to hunt for incidents. | The entity has initiated threat hunting activities based on knowledge of adversary tradecraft.

The entity may leverage Indicators of compromise and threat intelligence to discover incidents. | The entity performs threat hunting activities based on knowledge of adversary tradecraft.

The entity will leverage Indicators of compromise and threat intelligence to discover incidents. | The entity proactively performs threat hunting activities based on knowledge of adversary tradecraft.

The entity will leverage Indicators of compromise and threat intelligence to discover incidents, however will focus on detecting strategy, tactics, techniques, procedures that are outside of known threats. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Hunt%20to%20discover,Threat%20Hunting%20publication.) | +| **32** | **Network-based intrusion detection/prevention system** | The entity does not have a Network-based intrusion detection/prevention system (NIDS/NIPS). | The entity has commenced configuring network-based intrusion detection/prevention system (NIDS/NIPS). The system may be able to identify anomalous network traffic, but may not be configured to block it. | The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous network behaviour.

NIDS/NIPS may be configured aggressively for the operating environment resulting in a high volume of false positives impacting user experience and may impact cyber security incident response teams. | The entity has configured Network-based intrusion detection/prevention system (NIDS/NIPS) to identify anomalous behaviour.

NIDS/NIPS may be configured appropriately for the operating environment providing minimum impact to user experience and supports cyber security incident response teams. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Threat%20Hunting%20publication.-,Network%2Dbased%20intrusion%20detection/prevention%20system,strategy%2C%20requiring%20potentially%20complicated%20approaches%20to%20decrypt%20and%20inspect%20network%20traffic.,-Capture%20network%20traffic) | +| **33** | **Capture network traffic** | The entity does not capture Network traffic to perform incident detection and analysis. | The entity captures network traffic to create summaries or Metadata of traffic statistics.

The summaries of metadata may identify general network patterns, but may not be sufficient to enable incident detection and analysis. | The entity captures network traffic on incoming and outgoing network traffic without focusing on critical assets storing sensitive data. This enables the entity to perform incident detection and analysis.

Summaries or metadata of traffic statistics may support incident detection and analysis. | The entity captures network traffic on incoming and outgoing network traffic focusing on critical assets storing sensitive data and also traffic traversing network perimeter. This enables the entity to perform incident detection and analysis.

Summaries or metadata of traffic statistics may support incident detection and analysis.| [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=inspect%20network%20traffic.-,Capture%20network%20traffic,that%20users%20are%20aware%20that%20the%20organisation%E2%80%99s%20network%20traffic%20is%20monitored.,-Mitigation%20strategies%20to) | + +### Recover Data and System Availability + +| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance | +|:---:| --- | --- | --- | --- | --- |:---:| +| **35** | **Business continuity and disaster recovery plans** | The entity does not have Business Continuity or Disaster Recovery Plans. | The entity has developed Business Continuity and Disaster Recovery.

The entity has not tested Business Continuity or Disaster Recovery Plans for greater than one year. | The entity has developed Business Continuity and Disaster Recovery plans.

The entity has tested Business Continuity or Disaster Recovery Plans within the past year. | The entity has developed robust Business Continuity and Disaster Recovery plans that focus on critical systems and data. The plans are updated on an annual basis or when significant changes to ICT systems occur.

The entity has tested Business Continuity or Disaster Recovery Plans within the past year. Test results or lessons learnt from enacting plans are captured and used to improve existing plans.| [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Business%20continuity%20and,exhausted%20and%20ineffective.) | +| **36** | **System recovery capabilities** | The entity has limited capabilities to restore operations from significant system failures. | The entity has some capability to restore operations from significant system failures, however processes or systems are manual.

The entity's Third-party contractors/suppliers does not provide timely responses or service levels to meet Business Continuity requirements. | The entity has capability to restore operations from significant system failures.

Processes are semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities.

The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements. | The entity has robust capabilities to restore operations from significant system failures and regularly tests system recovery capabilities.

Processes are automated/semi-automated or consistent to enable timely recovery. The entity may deploy snapshots, Operating System deployment solutions or enterprise mobility to aid in recovery activities.

The entity's Third-party contractors/suppliers provides timely responses or service levels to meet Business Continuity requirements. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=System%20recovery%20capabilities,IP%2Dbased%20telephones.) | + +### Preventing Malicious Insiders + +| Control | Strategy | Not Started | In-Progress | Implemented With Issues | Implemented and Monitoring | ACSC Guidance | +|:---:| --- | --- | --- | --- | --- |:---:| +| **37** | **Personnel management** | The entity does not perform pre-employment checks or have processes to manage user access. | The entity performs pre-employment checks and have ad-hoc processes to manage user access. | The entity performs pre-employment checks and has ongoing vetting for privileged access.

The entity has robust process to manage user access including disabling user accounts in a timely manner after. | The entity performs pre-employment checks and has ongoing vetting for privileged access.

The entity has robust process to manage user access including disabling user accounts in a timely manner after.

The entity has programs in place to remind users of security obligations and promotes education that minimises malicious intent. | [Link](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details#:~:text=Personnel%20management,of%20Home%20Affairs.) | diff --git a/docs/guidelines/secure-configuration.md b/docs/guidelines/secure-configuration.md index 8ed57c84..e08c4b7b 100644 --- a/docs/guidelines/secure-configuration.md +++ b/docs/guidelines/secure-configuration.md @@ -12,7 +12,7 @@ A backup of tenant configuration should be taken each month with [Microsoft365DS A tool to review tenant configuration such as the [CISA ScubaGear M365 Secure Configuration Baseline Assessment Tool](https://github.com/cisagov/ScubaGear) should be run against all tenants at least quarterly with results reviewed and retained for 12 months to guide policy remediations and improvements. -![Microsoft365DSC Export UI](https://microsoft365dsc.com/Images/ExportUI.png) +![Microsoft365DSC Export](https://microsoft365dsc.com/Images/Marketing-Export.gif) ![SCuBA Architecture diagram](https://github.com/cisagov/ScubaGear/raw/main/images/scuba-architecture.png) ### Enhanced validation of endpoint configuration diff --git a/mkdocs.yml b/mkdocs.yml index 5249caf2..2cfcfbe9 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -88,6 +88,7 @@ nav: - Configuration Assessment: guidelines/secure-configuration.md - Observable Gap Analysis: guidelines/observables-gap-analysis.md - TTP Detection Guideline: guidelines/TTP_Hunt/ttp-detection-guidelines.md + - Annual Implementation Report: guidelines/annual-implementation-reporting.md - Training: - Security Analyst Induction: training/analyst-induction.md - Azure Basics: training/azure-basics.md