Cyber Security for
Contractors
JANUARY 2019
Introduction
Adversaries regularly target Australian Government information held by contractors, both classified and unclassified, in
an attempt to gain an economic or strategic advantage.
This document has been developed to assist contractors with appropriately securing Australian Government
information on their systems.
Contractors hold valuable information
Foreign intelligence services are the foremost cyber threat to Australia. Such adversaries seek both national security
and commercial information to identify vulnerabilities in Australian capabilities or to further their own economic or
strategic advantage.
Contractors, both in Australia and overseas, have reported significant increases in malicious cyber activity against their
systems and are priority targets for adversaries1. Often the value to an adversary of the information contained on a
contractor’s systems is not immediately evident. Unclassified information can still be sensitive; in particular, wholesale
aggregation of unclassified information can present a threat to Australia’s interests.
Examples of adversaries compromising contractors include the compromises of:
US aerospace company Boeing, which resulted in gigabytes of information relating to 32 US projects, including
information on the Lockheed Martin F-35 and F-22, as well as the Boeing C-17 aircraft, being sent to China2.
US security vendor RSA, which led to subsequent targeting of US defence contractors Lockheed Martin, L-3
Communications and Northrop Grumman. This cyber security incident is reported to have cost RSA 90 million3.
Cyber intrusion techniques are many and varied. A common cyber intrusion technique used by adversaries is socially
engineered emails targeting high-ranking members of contractors and their support staff. These emails often aim to
exploit common security vulnerabilities such as unpatched applications or operations systems, the use of similar
passwords across systems, or the use of personal devices for work purposes. These emails may be sent directly from an
adversary or from a supplier or subcontractor that an adversary has already compromised in order to leverage a trusted
relationship with their intended target.
1
https://www.washingtonpost.com/world/national-security/confidential-report-lists-us-weapons-system-designscompromised-by-chinese-cyberspies/2013/05/27/a42c3e1c-c2dd-11e2-8c3b-0b5e9247e8ca_story.html
2
https://www.theregister.co.uk/2016/07/15/hacker_gets_46_months_cooler_time_for_shipping_f35_f22_secrets
_to_pla/
3
https://arstechnica.com/information-technology/2011/06/rsa-finally-comes-clean-securid-is-compromised/
1
Essential mitigation strategies
To protect information provided by or developed for the Australian Government, contractors should implement the
Essential Eight from the Strategies to Mitigate Cyber Security Incidents:
Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs
including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers
with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either
in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the
Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate
the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Patching operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’
vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they
perform a privileged action or access an important (sensitive/high-availability) data repository.
Daily backups of important new/changed data, software and configuration settings, stored disconnected,
retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Perform regular vulnerability assessments
It addition to implementing the Essential Eight, systems should be regularly reviewed for security vulnerabilities,
particularly after significant changes. Vulnerability assessments can be done in-house or by an independent provider
using both automated and manual methods.
Implement an education program for employees
and subcontractors
An education program will provide employees and subcontractors with a better understanding of common cyber
threats such as socially engineered emails, malicious websites and the danger of poor password policies.
Beware of malicious insiders
Adversaries will often attempt to influence contractors’ employees in an attempt to gain access to Australian
Government information or to have them perform actions on a system to benefit their strategic goals. By conducting
ongoing vetting of employees, especially for those with privileged access, controlling the ability to remove Australian
Government information from systems, and implementing a comprehensive audit program, this risk can be lowered.
2
Report cyber security incidents early and often
This includes informing the Australian Cyber Security Centre (ACSC) of any cyber security incidents that could
potentially threaten Australian Government information. Seeking assistance early can mitigate or reduce a potentially
dangerous and embarrassing compromise. By immediately informing the ACSC 4, assistance can be provided without
delay and will contribute to safeguarding Australian Government information.
Use available cyber security resources
Initiatives such as the Defence Industry Security Program (DISP) 5 helps to ensure that contractors are provided with
appropriate security guidance. For example, contractors with membership to the DISP have access to the Defence
Security Principles Framework (DSPF)6 which details the standards, processes and procedures that direct the
application of protective security measures by Defence personnel and external service providers.
Further information
The Australian Government Information Security Manual (ISM) assists in the protection of information that is
processed, stored or communicated by organisations’ systems. This publication can be found at
https://www.acsc.gov.au/infosec/ism/.
The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM. The complete list of
mitigation strategies and supporting publications can be found at
https://www.acsc.gov.au/infosec/mitigationstrategies.htm.
Contact details
Organisations or individuals with questions regarding this advice can contact the ACSC by emailing
asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).
4
https://www.acsc.gov.au/incident.html
http://www.defence.gov.au/dsvs/Industry/
6
http://www.defence.gov.au/DSVS/dspf.asp
5
3
