iTnews

Govt pushes Flash, Java, web ad blocks in revised infosec manual

By Ry Crozier on Dec 4, 2018 8:41AM
Govt pushes Flash, Java, web ad blocks in revised infosec manual

Browser hardening and automated patching among 66 new controls.

The Australian Cyber Security Centre (ACSC) is advising security professionals they “must” block or disable Adobe Flash, web advertisements and “Java from the internet” to harden web browsers against attacks.

The advice is contained in three of 66 new security controls added to the Information Security Manual (ISM) as part of its yearly revision. [pdf]

An update to the ISM, which is the core rulebook for agencies, released this morning [pdf], also states that “258 of 945 security controls were removed”.

Some were removed to encourage changes in security culture from compliance to risk management; many were simply merged or relisted as “supporting documentation”.

The changes were driven in part to align the ISM with the government’s simplified protective security policy framework (PSPF) which came into effect in October, and also by changes in technology - among other factors.

Some of the additions relate to gaps “in guidance on organisation-owned mobile devices”; authorities have previously issued guidance only around bring your own device (BYOD) policies.

“If organisations choose to issue personnel with mobile devices to access their organisation’s information and systems, they should ensure that the devices do not present an unacceptable security risk,” the new advice states.

Three new controls aim to “address a gap in guidance on the hardening of web browsers”. They are given a “must” priority and relate to browsers being configured to block Flash, Java and web ads.

The new ISM also contains three new security controls aimed at reducing the effectiveness of macros in Microsoft Office as a malware vector.

These are: “Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros”; “Microsoft Office macros in documents originating from the Internet are blocked”; and “Microsoft Office macro security settings cannot be changed by users.”

Six new controls target “extreme” or “high-risk” vulnerabilities in operating systems and firmware and how quickly they are patched.

The new requirements include that applying and confirming that patches have been applied is all handled by an automated system.

Other changes include:

  • Requirements to regularly review privileged accounts and access
  • An entirely new section on backups and restores
  • Advice on separating data flows in cross domain solutions

Also of note in the new ISM is a security control that appears to place a dampener on just how far up the government information stack that cloud players like AWS and Microsoft might be allowed to go.

The approval of Azure to handle protected level information this year caused the government and Microsoft some grief as a new series of security controls had to be defined for the purpose.

The ISM puts a limit on how far public cloud can go.

“If using outsourced cloud services for highly classified information, public clouds are not used,” is stipulated as a new security control with a “must” priority.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acsc automated browser flash government hardening information security manual ism macros patching security update

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Ry Crozier
Dec 4 2018
8:41AM
0 Comments

Related Articles

  • ACSC called in on 427 fed govt security incidents last year
  • RAT scammers pose as the Australian Cyber Security Centre
  • FireEye discloses breach, theft of red team tools
  • Govt to overhaul electronic surveillance laws after intelligence review
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Defence switches on initial SAP ERP system capability

Defence switches on initial SAP ERP system capability

Downer lands $330m Telstra field services contract

Downer lands $330m Telstra field services contract

Tyro halts trading following week-long outage

Tyro halts trading following week-long outage

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.