Defence minister and deputy prime minister Richard Marles has foreshadowed “safe harbour” legislation to encourage companies to better cooperate with the government’s cyber agencies during security incidents.
Marles was speaking to the ABC’s AM current affairs program following publication of the ASD’s Cyber Threat Report 2022-2023.
Marles said some kind of safe harbour scheme could address corporate reluctance to engage with cyber security agencies, for fear of future legal or regulatory action.
“This is an issue we are making sure that we get right,” Marles said, “and will form part of the [government’s] cyber strategy that we announce later in the month”.
“If you’re a company and you’re in the midst of a cyber attack, you need the best advice you can get, and the Australian Signals Directorate is our expert here.”
To make sure companies aren’t worried that their information will be shared with other areas of government, Marles said: “That safe harbour concept is a concept we need to see pursued.
“We need to be building the greatest possible confidence that we can, for companies to interact with [the] ASD in the moment, when the attack is happening.”
Linking IT and OT
The ASD report includes reminders of two key issues that still dominate the enterprise threat landscape: inadequate patching, and poorly separated IT and operational technology (OT) networks.
The report [pdf] states that OT, particularly in critical infrastructure, can be exposed to attack via internet-connected corporate IT systems.
In a detailed discussion of network segment separation, the ASD warned that “if a malicious cyber actor compromises the corporate IT network and gains greater access privileges, then the corporate IT firewall may no longer provide the desired level of protection for the OT environment”.
In 2022-2023, the ASD, it had responded to 143 incidents related to critical infrastructure.
Most of these attacks, the report stated, were via compromised accounts or credentials; compromised assets, networks or infrastructure; or denial-of-service.
Don’t delay patching
The ASD also warned that prompt patching is more important than ever, with one in five newly-disclosed vulnerabilities now exploited within 48 hours of “a patch or mitigation advice being released”.
That rises to half of new vulnerabilities exploited within two weeks of disclosure.
“Despite more than 90 percent of CVEs [vulnerabilities] having a patch or mitigation advice available within two weeks of public disclosure, 50 percent of the CVEs were still exploited more than two weeks after that patch or mitigation advice was published,” the ASD said.
“These risks are heightened when a proof-of-concept code is available and shared online,” the report added.
The persistence of old vulnerabilities also bothered the ASD, with two patched 2021 vulnerabilities still dominating exploits in the 2022-2023 analysis period: Log4Shell (also known as Log4j, CVE-2021-44228); and ProxyLogon (CVE-2021-26855).
These were “by far the most exploited vulnerabilities throughout the analysis period”, the report said, “representing 29 percent of all CVE-related incidents”.
Even the venerable WannaCry malware, which first emerged in 2017 still generates “periodic reports” from enterprise environments, the ASD said.
Other trends highlighted in the ASD’s statement included state actors focusing on critical infrastructure; and a 23 percent rise in cybercrime reports in the period, to around 94,000.