Cyber Security Assessment focused on secure handling of PII and Sensitive College Data and ensuring Compliance. (For Board/C Suite/Senior Management)
Briefing Intent
- This sample is indicative of the report which you’ll receive at the end of an assessment.
- This redacted report is from assessments done on a number of Defence Suppliers.
- The report provides clarity around the type of user behaviour, data movement and cyber risks that you can expect to be covered during the assessment.
Assessment Scope
The scope of GuardWare Assessment is to assess Client’s current security processes and controls (ISMS) based on the following criteria:
- Ability to securely handle commercially sensitive data in line with Information Security Manual (ISM) recommendations.
- Ability to securely handle Defence related data in line with the requirements of Entry Level DISP.
- Ability to securely handle ITAR related data.
Note: Physical security of office environment and equipment is out of scope for this project.
Assessment Summary
Monitoring Parameters:
- Only Client owned devices were covered.
- The following types of data were monitored:
- Sensitive data covering ITAR and Defence labelled information
- Generic Documents
- General files of any type including source code, images, zip etc
- Monitoring USE CASES included those recommended under ACSC ISM, ITAR and for secure handling for Defence Related Data under DISP.
Monitoring done from 26th Nov to 13th Dec 2022
158 users monitored on 146 devices
16 High risk actions detected which require urgent attention
4 Medium risk actions detected
2 suspicious activities
detected – Need urgent action
No controls in place to ensure secure handling of Sensitive data
No incident detection capability present in the event of a loss or theft of data
Non-Compliance with 2 of ES8 control. App Control and Restrict Admin privileges
Non-Compliance with Secure Defence data handling procedures as per DISP and ISM
Non-Compliance with ITAR regulation.
Risk Summary
Use Cases
Technical Control
Risk
High use of unencrypted USBs. 44 users detected using unencrypted USBs to transfer data.
Technical control not implemented
High
High transfer rate. 8 users transferred over 1000 files.
Technical control not implemented
High
Outside of normal business hours. High rate of transfers detected outside of normal working hours.
Technical control not implemented
High
Transfer of Potential Sensitive Data
• Top 8 users detected transferring 1000s of design related files.
• Several users transferred files containing potential sensitive data
Technical control not implemented
High
Visibility of transfers. Visibility of sensitive data transferred using external media.
Technical control not implemented
High
Suspicious User Activities
Suspicious User Activity – User1 - Use of personal emails to send corporate data
1. User detected using his personal email to send highly sensitive ITAR marked data to unauthorized 3rd parties.
2. Non-Compliance under ITAR.
Technical control not implemented
High
Suspicious User Activity – User2 – Data copied by user about to leave the organisation.
1. User copied 1000s of design files also printed his CV during the same time.
2. There is evidence he has visited job sites (Indeed) and applied for Defence related engineering jobs around the same time when he copied the files.
3. The files have been copied on unencrypted USBs which most likely are personal.
4. He is also seen accessing and uploading files to personal Google Drive.
5. He belongs to the Defence User Group.
Technical control not implemented
High
Corporate Email Analysis
Corporate emails forwarded to own personal emails. Email detected being forwarded to user own personal email.
Technical control not implemented
Medium
Visibility of email forwards. Visibility of what files have been forwarded by users to personal and free emails to ensure they are accounted for.
Technical control not implemented
High
Use of Personal Emails
Use of Personal emails detected. Personal emails have been used to send data.
Technical control not implemented
Medium
Visibility of Personal Email Use. Visibility is required to ensure company data is not being sent out via personal emails.
Technical control not implemented
High
Use of Non Organisational Unauthorised Applications
Technical Control Circumvented. The users seem to have found a way to install non-organisational applications.
Non-Compliance of 2 of the ES8 Controls.
1. Restrict administrative privileges
2. Application control
Technical control not implemented
Medium
Visibility of Application Use. Visibility of what applications are being used by users.
Technical control not implemented
High
Data transfer using Non-Corporate Data sharing APPs and Websites
Risky Transfer Application Use. 6 users detected using Dropbox or Google Drive to transfer files. Transfers include potentially sensitive data.
Technical control not implemented
Medium
Risky website Use. 19 users detected using Facebook and potentially transferring data.
Technical control not implemented
High
Visibility of transfers. Visibility of sensitive data transferred using APPs and encrypted websites.
Technical control not implemented
High
Printing of Sensitive Data
Printing of potential sensitive data. Printing of sensitive data was observed.
Technical control not implemented
High
Printing use personal Printers. As users are allowed to work from home there is risk of files being printed using home printers.
Technical control not implemented
High
Visibility of Printing. Visibility of what files have been printed either via organisational or personal printers to ensure they are accounted for.
Technical control not implemented
Medium
Access of information
Authorised Access of sensitive Information. Ensuring authorised users can access files.
Technical control not implemented
Medium
Access Visibility. Visibility of who is accessing what files.
Technical control not implemented
High
Trusted Insider Program monitoring
suggestion as per ISM and DISP
Trusted insider program
As a trusted insider’s system access and knowledge of business processes often makes them harder to detect, establishing and maintaining a trusted insider program can assist an organisation to detect and respond to trusted insider threats before they occur, or limit damage if they do occur. In doing so, an organisation will likely obtain the most benefit by logging and analysing the following user activities:
1. excessive copying or modification of files
2. unauthorised or excessive use of removable media
3. connecting devices capable of data storage to systems
4. unusual system usage outside of normal business hours
5. excessive data access or printing compared to their peers
6. data transfers to unauthorised cloud services or webmail
7. use of unauthorised Virtual Private Networks, file transfer applications or anonymity networks.
Control: ISM-1625; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A
A trusted insider program is developed, implemented and maintained.
Control: ISM-1626; Revision: 0; Updated: Nov-20; Applicability: All; Essential Eight: N/A
Legal advice is sought regarding the development and implementation of a trusted insider program.
Reference: ACSC Information Security Manual.
Trusted Insider Program monitoring suggestion as per ISM and DISP
Recommended Use Cases Under ISM
Excessive copying or modification of files
Detected
Unauthorised or excessive use of removable media
Detected
Connecting devices capable of data storage to systems
Detected
Unusual system usage outside of normal business hours
Detected
Excessive data access or printing compared to their peers
Detected
Data transfers to unauthorised cloud services or webmail
Detected
Use of unauthorised Virtual Private Networks, file transfer applications or anonymity networks.
Detected
