Basic holes behind 70% of Defence breach call outs

Powered by SC Magazine
 

Missed patches and borked administrative rights blamed.

Over 70 percent of data breaches escalated to the Defence Signals Directorate (DSD) in 2009 could have been prevented by simple patching or administrative rights, leading government security adviser Mike Burgess said.

Speaking at a cyber security summit in Canberra this week, Burgess said that there were well established measures available to defend against many cyber intrusions.

He cited the lastest version of a DSD guide that offered agencies 35 strategies to mitigate against intrusions as proof that the word was spreading throughout government and industry.

Burgess said that the top four strategies were to patch applications, patch operating systems, minimise the number of users with domain or local administrative priveleges, and application whitelisting.

Had organisations implemented those top four strategies in 2009, almost three in four call-outs for intrusions could have been prevented, he said.

Burgess said that, when combined with advances in IT security technology, adhering to the top four strategies would repel up to 85 percent of intrusion attempts.

The top four strategies remain unchanged between versions of the DSD document. Some changes introduced in the latest document included user education, which had moved up in priority from #31 to #8.

"We now recommend education in a number of areas such as stronger passwords, thinking about the websites you visit on your work computer, and not using media such as USB drives that are not Corporate-supported," Burgess said.

Changing approach

The DSD was changing its approach to security, Burgess said.

"Traditionally information security - like physical security - has been informed by a conservative prescriptive mindset," he said.

One example of this was DSD's recent advice on cloud computing. The Directorate had avoided being negative about the introduction of cloud compute, where in the past it may have been more against its introduction to environments.

"We can’t stop people from musing the latest technology. What we can do is enable them to use it in the least risky ways," he said.

He also said DSD was open to a more collaborative approach.

"This is why for the first time, our next release of the Information security manual will be available for comment on Onsecure, DSD’s online security portal, in early August for three weeks," Burgess said.

"This will allow agencies time to provide online feedback on the document before its next official update."

Copyright © iTnews.com.au . All rights reserved.


Basic holes behind 70% of Defence breach call outs
 
 
 
Top Stories
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
The big winners from Defence’s back-office IT refresh
Updated: The full list of subcontractors.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  68%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  11%
 
Denial of service attacks
  6%
 
Insider threats
  12%
TOTAL VOTES: 1009

Vote