September 2024 ISM

Introduction

The Australian Signals Directorate (ASD) continues its commitment to enhancing Australia’s cybersecurity posture with the latest September 2024 Information Security Manual (ISM) update. This quarterly release addresses emerging cyber threats by refining existing controls and introducing forty new ones, ensuring that organisations across Australia can better secure their environments in today’s evolving threat landscape.

In this article, I will highlight the key changes introduced in the September 2024 ISM release, provide real-world examples to contextualise their impact and analyse how they affect corporations, critical infrastructure providers, and cloud vendors. I will also offer suggestions on how these controls could be further strengthened to ensure even more effective cybersecurity outcomes. I will conclude by acknowledging ASD’s efforts to deliver these updates.

Key ISM Changes and Motivations

1. Media that cannot be successfully sanitised [ISM-1735]

• The September 2024 ISM update introduces a critical control for handling media that cannot be successfully sanitised. According to ISM-1735, the faulty or damaged media must be destroyed when media sanitisation processes repeatedly fail. This ensures that any residual data on the media, which cannot be fully erased through normal sanitisation procedures, is securely disposed of, preventing unauthorised access or recovery of sensitive information. This control is particularly important for organisations dealing with sensitive data stored on damaged or non-functioning media, ensuring that data exposure risks are mitigated effectively.
• Motivation: This update targets the challenge of securely managing faulty or damaged media. It mandates that media that cannot be sanitised must be destroyed to prevent potential data recovery.
• Real-World Incident: The Accellion FTA breach (2021) illustrated how improperly handled media can expose sensitive information. In that case, outdated or insecure media handling led to a data breach.
• Impact: This control ensures that organisations securely handle sensitive media, reducing the risk of data breaches from residual information on unsanitised or compromised media. By enforcing destruction as a final step, organisations mitigate the risk of unauthorised access to sensitive data that could otherwise be recovered.

2. Operating System Event Logging [ISM-0582]

• The September 2024 ISM update includes an important Operating System Event Logging enhancement under ISM-0582. This control mandates that operating system events be centrally logged and prioritised according to the Best Practices for Event Logging and Threat Detection guidelines. This ensures critical events are captured, monitored, and available for audit and threat detection. The update helps organisations maintain comprehensive visibility over system activities, allowing for faster detection of unusual or suspicious behaviour and improving their ability to respond to potential cyber threats promptly.
• Motivation: Event logging is critical to system security, providing valuable insights into unusual activities. This update aligns the control with best practices, ensuring the prioritised collection of high-quality logs.
• Real-World Incident: The SolarWinds attack (2020) exploited inadequate logging to infiltrate and maintain a presence in target systems for extended periods without detection.
• Impact: Organisations benefit from improved event logging, which provides better visibility and early detection of potential attacks. This is especially critical for corporate enterprises and cloud vendors, where comprehensive monitoring is necessary.

3. Microsoft Active Directory Services Hardening

• The September 2024 ISM updates introduce several critical changes to Microsoft Active Directory (AD) and Microsoft Entra ID controls to strengthen security and reduce vulnerabilities across both environments. These updates target both on-premises Active Directory and its integration with cloud-based services like Entra ID, ensuring a more secure synchronisation and identity management process. Key changes include ensuring AD services are used only for their designated roles and accessed only by privileged users (ISM-1926, ISM-1927), enforcing encrypted backups for AD systems (ISM-1928), enabling LDAP signing on domain controllers (ISM-1929), and preventing passwords from being stored in Group Policy Preferences (ISM-1930). For Microsoft Entra Connect, additional controls recommend disabling soft matching after the initial synchronisation (ISM-1950), disabling hard match takeover (ISM-1951), and preventing privileged accounts from being synchronised between AD DS and Microsoft Entra ID (ISM-1952). Additional updates for AD include enabling SID filtering for domain and forest trusts (ISM-1931), minimising the number of service accounts with Service Principal Names (SPNs) and ensuring they do not have DCSync permissions (ISM-1932, ISM-1933), and requiring annual reviews of DCSync permissions (ISM-1934). These updates also prevent unconstrained delegation for computer accounts (ISM-1935), discourage the use of the sIDHistory attribute for user accounts (ISM-1936, ISM-1937), and restrict Domain Computers security group permissions to prevent modification of AD objects (ISM-1938). Finally, the updates limit the membership of highly privileged security groups like Domain Admins and Enterprise Admins for user and service accounts (ISM-1939, ISM-1940) and prevent computer accounts from joining these groups (ISM-1941, ISM-1942). Additional controls improve security in Microsoft Active Directory Certificate Services (AD CS) environments (ISM-1943 to ISM-1948).
• Motivation: These controls focus on securing Active Directory (AD) and Microsoft Entra ID services, which are frequent targets for adversaries due to their critical role in authentication and access management. These updates aim to reduce the risk of compromise from identity-based attacks, privilege escalation, and lateral movement within networks by addressing key vulnerabilities in both on-premises and cloud environments.
• Real-World Incident: The WannaCry ransomware attack (2017) exploited vulnerabilities in AD environments, allowing attackers to move laterally across networks and escalate privileges. A similar threat to cloud environments, such as Microsoft Entra ID, could have allowed an attacker to synchronise compromised accounts between on-premises and cloud systems.
• Impact: These controls ensure a more secure setup for Active Directory and Microsoft Entra ID, protecting against unauthorised access, privilege escalation, and ransomware attacks. Critical infrastructure providers, cloud vendors, and other organisations using hybrid identity solutions will benefit from the added security around privileged access, encrypted backups, and identity synchronisation between on-premises AD and cloud services like Microsoft Entra ID. By addressing both on-premises AD security and cloud identity synchronisation, the September 2024 ISM updates enhance the overall security of identity management systems, preventing exploitation through improperly secured accounts, synchronisation processes, and privileged access.

4. Strengthened Password Controls

• The September 2024 ISM update introduces an amendment to the existing control on single-factor authentication passphrase length. Previously, the minimum required length for passphrases was 14 characters, but this has now been increased to 15 under ISM-0421. This change enhances security by making passphrases more resistant to brute-force attacks and other password-cracking techniques.
• Motivation: As password-cracking techniques evolve and attackers gain access to more computing power, longer passphrases are necessary to increase security. By increasing the minimum passphrase length, the control significantly raises the difficulty of brute-force attacks, providing stronger protection against unauthorised access through compromised credentials.
• Real-World Incident: The NotPetya ransomware attack (2017) is a notable example of how weak passwords contributed to the rapid spread of malware. Attackers leveraged weak passwords to escalate privileges, enabling them to move laterally across networks and cause widespread damage. Stronger password controls could have slowed or even prevented the attack's spread.
• Impact: Increasing the minimum passphrase length to 15 characters under ISM-0421 helps organisations reduce the risk of password-cracking and credential theft. This control strengthens password security, ensuring that organisations are better equipped to defend against credential-based attacks. The change also encourages better password hygiene and more secure storage practices, enhancing an organisation's security posture.

5. Separate Privileged Operating Environments

• The September 2024 ISM updates introduce important controls for separate privileged operating environments to enhance security and mitigate the risks associated with privileged accounts. Key changes include preventing DCSync-permissioned user accounts from logging into unprivileged environments (ISM-1958) and ensuring that privileged accounts are only used in secure environments to reduce the risk of compromise. The updates also include requiring encrypted backups of privileged systems and ensuring backup access is limited to backup administrators (ISM-1928), as well as requiring the use of dedicated accounts for managing systems like Microsoft Active Directory Federation Services (AD FS) to isolate privileged activities (ISM-1949). These controls collectively ensure that privileged accounts and environments are isolated from unprivileged systems, preventing attackers from escalating access and exploiting these accounts in lower-security environments.
• Motivation: Segregating privileged and non-privileged environments helps prevent attackers from leveraging compromised accounts with high-level permissions to escalate access within a network.
• Real-World Incident: The Marriott breach (2018) demonstrated the dangers of insufficient segregation between privileged and unprivileged accounts, resulting in a massive data breach.
• Impact: This control ensures attackers cannot exploit higher-level permissions even if they gain access to a non-privileged system. For cloud vendors and critical infrastructure providers, the impact of compromised privileged accounts can be catastrophic, making this control especially important.

6. Credentials for Built-in Administrator Accounts [ISM-1953, ISM-1954]

• New controls introduced in ISM-1953 and ISM-1954 recommend that credentials for built-in Administrator accounts, break glass accounts, and service accounts be long, unique, unpredictable, and randomly generated. This protects high-privilege accounts from being compromised through predictable or weak credentials.
• Motivation: Weak, predictable credentials for high-privilege accounts pose a significant security risk, as these accounts are prime targets for attackers. The introduction of strong, randomised credentials reduces the likelihood of successful account compromises, even in the case of brute-force or credential-stuffing attacks.
• Real-World Incident: The 2017 Equifax data breach is a relevant example where default and weak credentials were contributing factors. Attackers exploited poorly managed credentials—including those associated with privileged accounts—to gain access to sensitive systems. In this case, failure to enforce unique, unpredictable, and secure credentials for privileged accounts such as built-in administrators allowed attackers to escalate their access and exfiltrate a vast amount of sensitive data. The breach highlighted the dangers of leaving administrator accounts with default or weak passwords, which adversaries can easily exploit to gain high-level access within a network. Had stronger password management controls, like those recommended in ISM-1953 and ISM-1954, been enforced, it would have been much more difficult for the attackers to leverage weak or predictable credentials to compromise Equifax’s systems.
• Impact: Enforcing strong, randomised credentials for administrator and service accounts significantly enhances system security by making it harder for attackers to exploit predictable credentials. Organisations benefit from greater protection of their most sensitive systems and accounts.

7. Credential Change Requirements [ISM-1955, ISM-1956]

• New controls under ISM-1955 and ISM-1956 require that credentials for computer accounts and AD FS token-signing certificates be changed under certain circumstances, such as a suspected compromise or if not changed in the last 12 months.
• Motivation: Regularly changing credentials helps prevent credential theft and reduces the likelihood of prolonged exposure. By enforcing regular credential changes, organisations can reduce the window of opportunity for attackers to exploit compromised credentials.
• Real-World Incident: The SolarWinds attack (2020) is a pertinent example. In this case, attackers gained prolonged access to SolarWinds' systems and infiltrated numerous government and private sector networks through credential theft and abuse. A significant factor in the attack's success was the failure to change or update compromised credentials regularly. The attackers used stolen credentials for months to move laterally within networks, escalate privileges, and access sensitive systems. Had strong credential change policies been enforced, such as those recommended by ISM-1955 (requiring changes for compromised credentials) and ISM-1956 (regular changes for AD FS token-signing certificates), the attackers' ability to maintain persistent access over such a long period could have been significantly reduced. Frequent changes would have invalidated compromised credentials, making it more difficult for attackers to maintain control and spread across affected systems.
• Impact: This control improves overall security by ensuring that sensitive credentials are regularly refreshed and not reused beyond secure timeframes. Reducing the lifespan of credentials lowers the chances of exploitation, particularly in environments where attackers may have gained access to outdated credentials.

Additional ISM Changes

In addition to the key controls discussed above, the September 2024 ISM update introduces several other important controls that strengthen various areas of cybersecurity. These are essential for ensuring a comprehensive understanding of the update:

• Database Systems Event Logging:

Minor changes ensure consistency in how events are centrally logged across database systems, aligning with other event logging guidelines (ISM-1537).

• Network Devices and Protocols:

Server Message Block (SMB) Protocol: The update recommends avoiding the use of SMB version 1 on networks to mitigate vulnerabilities (ISM-1962).

Network Device Event Logging: Security-relevant events for both internet-facing and non-internet-facing network devices must be centrally logged and analyzed in a timely manner (ISM-1963, ISM-1964).

• Cross Domain Solutions (CDS) and Gateways:

Content Checking: Files transferred via gateways or CDSs must undergo content checks (such as keyword, metadata, or protective marking) to prevent data spills and unauthorized exports (ISM-1965).

• Event Log Consistency:

Event logs must be captured and stored in a structured format, with recommendations for a consistent time source (ISM-1959, ISM-0988).

• Vulnerability Disclosure Programs:

Organisations must now use security.txt files for each internet-facing website domain as part of their vulnerability disclosure program (ISM-1717).

• Microsoft Active Directory Certificate Services (AD CS):

Various new controls improve security for AD CS, including enforcing strong mapping between certificates and users, restricting certificate template access, and removing Extended Key Usages that allow user authentication (ISM-1943 to ISM-1947).

• Miscellaneous Terminology Updates:

Terminology updates ensure consistency with Microsoft Active Directory standards. These include changes in references to “privileged” and “unprivileged” accounts and the distinction between security groups (ISM-0445, ISM-1175, ISM-1650).

Real-World Incidents and How ISM Controls Could Have Mitigated Them

In this section, I will expand on the real-world incidents mentioned, linking them directly to the September 2024 ISM controls and explaining how these controls could have mitigated or prevented the attacks.

• Accellion FTA Breach (2021) – Mitigated by ISM-1735 (Media Sanitisation) - The Accellion FTA breach exposed sensitive data due to improperly handled media and outdated systems that were not securely sanitised. The September 2024 ISM update (ISM-1735) mandates that any media that cannot be successfully sanitised must be destroyed. This control ensures that faulty or damaged media that cannot be wiped is securely disposed of, preventing the risk of adversaries recovering data. If this control had been in place during the Accellion FTA breach, the compromised media could have been destroyed, significantly reducing the risk of data exposure.
• SolarWinds Attack (2020) – Mitigated by ISM-0582 (Event Logging) - The SolarWinds attack exploited inadequate event logging, allowing attackers to infiltrate systems and maintain a presence for extended periods without detection. The September 2024 ISM update (ISM-0582) mandates that operating system events must be centrally logged and prioritised for threat detection. If SolarWinds had implemented these enhanced logging controls, the anomalous activities could have been detected sooner, allowing for a quicker response and mitigation of the attack.
• WannaCry Ransomware Attack (2017) – Mitigated by ISM-1926, ISM-1927, ISM-1928 (AD Hardening and Backup Controls) - The WannaCry ransomware attack exploited vulnerabilities in Active Directory environments, allowing attackers to move laterally through networks and spread ransomware across systems. The September 2024 ISM updates, particularly ISM-1926 (designated role for AD services), ISM-1927 (privileged access restrictions), and ISM-1928 (encrypted backups), would have provided enhanced security by restricting access to critical AD systems and ensuring that encrypted backups were available to recover data in case of a ransomware attack. These controls would have mitigated lateral movement within the network and allowed for quicker recovery, thus reducing the overall damage caused by the attack.
• NotPetya Ransomware Attack (2017) – Mitigated by ISM-0421 and ISM-1930 (Password and AD Controls) - The NotPetya ransomware attack leveraged weak password practices and Active Directory misconfigurations to spread rapidly across networks. The September 2024 ISM update (ISM-0421) increases the minimum passphrase length for single-factor authentication to 15 characters, making it harder for attackers to crack passwords. Additionally, ISM-1930 prevents passwords from being stored in Group Policy Preferences, reducing the risk of credential theft. If these controls had been enforced during NotPetya, it would have significantly reduced the attackers' ability to escalate privileges and spread across the network.
• Marriott Breach (2018) – Mitigated by ISM-1958 (Privileged Operating Environments) - The Marriott breach resulted from inadequate segregation between privileged and non-privileged accounts, which allowed attackers to access sensitive systems. The September 2024 ISM update (ISM-1958) introduces controls to prevent user accounts with DCSync permissions from logging into unprivileged environments, ensuring that privileged accounts are only used in secure environments. If this control had been in place, it would have prevented attackers from leveraging compromised accounts with high-level permissions to escalate access across the Marriott network, potentially averting the breach.

By directly linking the September 2024 ISM controls to these well-known incidents, it becomes evident how these updates could have prevented or significantly mitigated the impact of such attacks. This underscores the importance of the new controls and provides a practical lens through which organisations can understand their relevance and implementation.

Impact on Corporations, Critical Infrastructure Providers, and Cloud Vendors

Impact on Corporations:

Corporations often face threats such as phishing attacks, ransomware, and supply chain compromises. The enhanced logging and password controls introduced in the September 2024 ISM update will significantly improve corporations’ ability to detect and mitigate these threats. For example, the strengthened passphrase control [ISM-0421] directly addresses vulnerabilities associated with weak passwords, reducing the likelihood of attacks similar to the Optus breach (2022), where compromised credentials led to a data breach.

Impact on Critical Infrastructure Providers:

Critical infrastructure providers must protect systems that, if compromised, could have national security implications. The Active Directory hardening controls ([ISM-1926], [ISM-1927], [ISM-1928]) are particularly important in environments where attackers may seek to disrupt operations. These controls ensure that AD services are tightly controlled and backups are encrypted, preventing attacks like the Oldsmar water treatment plant incident (2021), where misconfigurations allowed unauthorised access.

Impact on Cloud Vendors:

Cloud vendors must manage the security of multi-tenant environments where the stakes are particularly high. The separate privileged operating environments control [ISM-1958] ensures attackers cannot easily escalate privileges to gain broader access even if a compromised non-privileged environment is compromised. This is especially important in preventing breaches like the Uber breach (2022), where the lack of strict access controls led to widespread data exposure.

A Word of Thanks to ASD

I want to thank the Australian Signals Directorate for their ongoing efforts to maintain the ISM. The clarity and precision of these updates reflect ASD’s dedication to keeping Australian organisations secure in the face of rapidly evolving threats. These quarterly updates are essential to ensuring cybersecurity standards remain robust and actionable.

Conclusion

The September 2024 ISM update significantly improves security controls for corporations, critical infrastructure providers, and cloud vendors. These controls empower organisations to secure their operations more effectively by addressing real-world vulnerabilities and introducing enhanced safeguards.

Organisations must review and implement these changes to remain resilient against modern cyber threats. The ISM continues to be an invaluable resource for Australian businesses, and this update reinforces its role in safeguarding Australia’s digital future.

Author Bio

Nathan Joy is a seasoned cybersecurity professional with over two decades of experience safeguarding Australian Government agencies and cloud vendors. As the first IT security manager in the Australian Government to implement the ASD Top 4 controls, Nathan played a pivotal role in pioneering robust cybersecurity practices within our nation. His dedication to innovation was recognised by the prestigious SANS Cyber Security Innovation Award, and he even had the honour of briefing the Whitehouse, Homeland Security, and the NSA on Australia's groundbreaking approach. Nathan's expertise extends to all cloud deployment models (IaaS, PaaS, SaaS) and is further validated by his IRAP assessor endorsement from the Australian Signals Directorate (ASD) since 2011. The views and opinions expressed in this article are Nathan's own and do not reflect the official position of the ASD or the Australian Cyber Security Centre (ACSC).