Govt pushes Flash, Java, web ad blocks in revised infosec manual

The Australian Cyber Security Centre (ACSC) is advising security professionals they “must” block or disable Adobe Flash, web advertisements and “Java from the internet” to harden web browsers against attacks.

The advice is contained in three of 66 new security controls added to the Information Security Manual (ISM) as part of its yearly revision. [pdf]

An update to the ISM, which is the core rulebook for agencies, released this morning [pdf], also states that “258 of 945 security controls were removed”.

Some were removed to encourage changes in security culture from compliance to risk management; many were simply merged or relisted as “supporting documentation”.

The changes were driven in part to align the ISM with the government’s simplified protective security policy framework (PSPF) which came into effect in October, and also by changes in technology - among other factors.

Some of the additions relate to gaps “in guidance on organisation-owned mobile devices”; authorities have previously issued guidance only around bring your own device (BYOD) policies.

“If organisations choose to issue personnel with mobile devices to access their organisation’s information and systems, they should ensure that the devices do not present an unacceptable security risk,” the new advice states.

Three new controls aim to “address a gap in guidance on the hardening of web browsers”. They are given a “must” priority and relate to browsers being configured to block Flash, Java and web ads.

The new ISM also contains three new security controls aimed at reducing the effectiveness of macros in Microsoft Office as a malware vector.

These are: “Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros”; “Microsoft Office macros in documents originating from the Internet are blocked”; and “Microsoft Office macro security settings cannot be changed by users.”

Six new controls target “extreme” or “high-risk” vulnerabilities in operating systems and firmware and how quickly they are patched.

The new requirements include that applying and confirming that patches have been applied is all handled by an automated system.

Other changes include:

• Requirements to regularly review privileged accounts and access
• An entirely new section on backups and restores
• Advice on separating data flows in cross domain solutions

Also of note in the new ISM is a security control that appears to place a dampener on just how far up the government information stack that cloud players like AWS and Microsoft might be allowed to go.

The approval of Azure to handle protected level information this year caused the government and Microsoft some grief as a new series of security controls had to be defined for the purpose.

The ISM puts a limit on how far public cloud can go.

“If using outsourced cloud services for highly classified information, public clouds are not used,” is stipulated as a new security control with a “must” priority.