Defence cyber security chief pushes intrusion prevention

Leaves negativity out of IT risk assessments.

Over 70 percent of IT security-related intrusions that were brought to the attention of the Defence Signals Directorate (DSD) in 2009 could have been prevented by simple patching or administrative rights, leading government security adviser Mike Burgess said.

Speaking at a cyber security summit in Canberra this week, Burgess said that there were well established measures available to defend against many cyber intrusions.

He cited the lastest version of a DSD guide that offered agencies 35 strategies to mitigate against intrusions as proof that the word was spreading throughout government and industry.

Burgess said that the top four strategies were to patch applications, patch operating systems, minimise the number of users with domain or local administrative priveleges, and application whitelisting.

Had organisations implemented those top four strategies in 2009, almost three in four call-outs for intrusions could have been prevented, he said.

Burgess said that, when combined with advances in IT security technology, adhering to the top four strategies would repel up to 85 percent of intrusion attempts.

The top four strategies remain unchanged between versions of the DSD document. Some changes introduced in the latest document included user education, which had moved up in priority from #31 to #8.

"We now recommend education in a number of areas such as stronger passwords, thinking about the websites you visit on your work computer, and not using media such as USB drives that are not Corporate-supported," Burgess said.

Changing approach

The DSD was changing its approach to security, Burgess said.

"Traditionally information security - like physical security - has been informed by a conservative prescriptive mindset," he said.

One example of this was DSD's recent advice on cloud computing. The Directorate had avoided being negative about the introduction of cloud compute, where in the past it may have been more against its introduction to environments.

"We can’t stop people from musing the latest technology. What we can do is enable them to use it in the least risky ways," he said.

He also said DSD was open to a more collaborative approach.

"This is why for the first time, our next release of the Information security manual will be available for comment on Onsecure, DSD’s online security portal, in early August for three weeks," Burgess said.

"This will allow agencies time to provide online feedback on the document before its next official update."