Shain Singh from F5 explains why stakeholders must conform to security standards to build resilience in the heightened threat environment.
The 2020-21 ACSC Cyber Threat Report shows an increase in cyber security incidents of ‘substantial’ impact influenced by the COVID-19 pandemic. This equated to one cyber attack every eight minutes, with a larger number targeting large organisations – including cases of data theft and rendering critical services offline. The trend is likely to continue, with Gartner predicting an 8 per cent increase in security and risk management spending across organisations by the end of 2021 when compared to 2020.
Publications such as the Cyber Security Strategy, the Critical Infrastructure Bill 2020, and request for consultation on regulator reforms highlight the federal government’s commitment to focus on defining Australia’s cyber security strategy.
Despite the focus, the rise in high profile cyber attacks to government agencies, services and critical infrastructures is apparent. In fact, the Australian government was in the top five sectors that notified breaches in the first half of the year, which does not account for any state, territory, local or security agencies. The past few years have seen Service NSW, NT Health, the ASIC, Transport for NSW, the WA Parliament, NSW Health, and some ministers’ private email accounts also listed as cyber attack or data breaches victims.
As the digitalisation of government services and critical infrastructure continues, the approach to security needs realignment to compensate.
A DevSecOps approach for applications and services
The digital assets provided by federal and state governments are also on the rise. And the reliance of these from its citizens and organisations has made them popular targets for malicious actors.
Current discussions about vaccination passports bring issues of security and privacy from the technology domain into general population conversations. Security experts have been prompt to identify flaws, which include allowing unauthorised alterations or copies of the digital certificates. The increased scrutiny of such a high-profile technology rollout leads to the need to ensure the highest cybersecurity standards for application deployment and integration.
The ability to integrate security earlier in the development phase, by adopting a DevSecOps approach, ensures that industry benchmarks and compliance are not a manual ad hoc process. Industry best practices and compliance checklists are by definition rules that tools can consume for continuous security posture evaluation. Moving to standardise these practices will reduce the risk of vulnerabilities and threats that are typically discovered after application deployment and operationalisation.
Teams need to work collaboratively in order to foster a culture where security is quality and safety concern. The digital service used to provide vaccination status is only one example of where a DevSecOps approach becomes indispensable. It can, however, be a proving ground for how to rollout the method across the organisation.
People, Technology and Processes
Securing the ‘frontend’ of government digital services is the first but not the only step for focus. Agencies of a fair size often have multiple layers of interaction between applications, employees and third parties. The breadth of applications and environments requires a zero trust mode of securing network, access and data. Despite all this, human error can also be a catalyst for incidents with the OIAC reporting this for 74 per cent of the breaches in the first half of 2021.
Considering recent threats disrupting infrastructure across the globe, the Australian Department of Defence is researching Zero Trust architectures for critical assets, whilst the US Federal government has made the adoption of Zero Trust security models a strategic priority in its recent Executive Order. Shifting to a Zero Trust architecture ensures that ‘backend’ systems gain risk-based conditional access with perimeter-less approach.
There are also gains in rapidly identifying human error, as proper identification and access for applications involve bolstering the monitoring of events. Alert and event management solutions play a key part in DevSecOps and they can feed deviations from expected behaviour into development pipelines, creating a feedback loop. Technology vendors need to address the ability of government agencies to operate and secure their digital assets by considering the procurement guidelines set by the DTA as a baseline.
Establishing a basic DevSecOps capability maturity model, then incrementally improving, will mean that organisations can focus from vulnerability exposure (abuse of functionality) to more advanced attacks, such as account takeovers and automated threats (abuse of intent).
Repeated data breaches and cyber attacks affecting government agencies and critical infrastructure have highlighted the need for organisations to integrate cybersecurity into more agile and modern development ways of working. This will be the only way to keep up with the pace of not only application development cycles but also malicious actors who continue to innovate and strengthen their capabilities.
Shain Singh is the principal security architect, APCJ at F5.