Basic holes behind 70% of Defence breach call outs

Powered by SC Magazine
 

Missed patches and borked administrative rights blamed.

Over 70 percent of data breaches escalated to the Defence Signals Directorate (DSD) in 2009 could have been prevented by simple patching or administrative rights, leading government security adviser Mike Burgess said.

Speaking at a cyber security summit in Canberra this week, Burgess said that there were well established measures available to defend against many cyber intrusions.

He cited the lastest version of a DSD guide that offered agencies 35 strategies to mitigate against intrusions as proof that the word was spreading throughout government and industry.

Burgess said that the top four strategies were to patch applications, patch operating systems, minimise the number of users with domain or local administrative priveleges, and application whitelisting.

Had organisations implemented those top four strategies in 2009, almost three in four call-outs for intrusions could have been prevented, he said.

Burgess said that, when combined with advances in IT security technology, adhering to the top four strategies would repel up to 85 percent of intrusion attempts.

The top four strategies remain unchanged between versions of the DSD document. Some changes introduced in the latest document included user education, which had moved up in priority from #31 to #8.

"We now recommend education in a number of areas such as stronger passwords, thinking about the websites you visit on your work computer, and not using media such as USB drives that are not Corporate-supported," Burgess said.

Changing approach

The DSD was changing its approach to security, Burgess said.

"Traditionally information security - like physical security - has been informed by a conservative prescriptive mindset," he said.

One example of this was DSD's recent advice on cloud computing. The Directorate had avoided being negative about the introduction of cloud compute, where in the past it may have been more against its introduction to environments.

"We can’t stop people from musing the latest technology. What we can do is enable them to use it in the least risky ways," he said.

He also said DSD was open to a more collaborative approach.

"This is why for the first time, our next release of the Information security manual will be available for comment on Onsecure, DSD’s online security portal, in early August for three weeks," Burgess said.

"This will allow agencies time to provide online feedback on the document before its next official update."

Copyright © iTnews.com.au . All rights reserved.


Basic holes behind 70% of Defence breach call outs
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  28%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1074

Vote