iTnews
  • Home
  • News
  • Technology
  • Security

Govt pushes Flash, Java, web ad blocks in revised infosec manual

By Ry Crozier on Dec 4, 2018 8:41AM
Govt pushes Flash, Java, web ad blocks in revised infosec manual

Browser hardening and automated patching among 66 new controls.

The Australian Cyber Security Centre (ACSC) is advising security professionals they “must” block or disable Adobe Flash, web advertisements and “Java from the internet” to harden web browsers against attacks.

The advice is contained in three of 66 new security controls added to the Information Security Manual (ISM) as part of its yearly revision. [pdf]

An update to the ISM, which is the core rulebook for agencies, released this morning [pdf], also states that “258 of 945 security controls were removed”.

Some were removed to encourage changes in security culture from compliance to risk management; many were simply merged or relisted as “supporting documentation”.

The changes were driven in part to align the ISM with the government’s simplified protective security policy framework (PSPF) which came into effect in October, and also by changes in technology - among other factors.

Some of the additions relate to gaps “in guidance on organisation-owned mobile devices”; authorities have previously issued guidance only around bring your own device (BYOD) policies.

“If organisations choose to issue personnel with mobile devices to access their organisation’s information and systems, they should ensure that the devices do not present an unacceptable security risk,” the new advice states.

Three new controls aim to “address a gap in guidance on the hardening of web browsers”. They are given a “must” priority and relate to browsers being configured to block Flash, Java and web ads.

The new ISM also contains three new security controls aimed at reducing the effectiveness of macros in Microsoft Office as a malware vector.

These are: “Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros”; “Microsoft Office macros in documents originating from the Internet are blocked”; and “Microsoft Office macro security settings cannot be changed by users.”

Six new controls target “extreme” or “high-risk” vulnerabilities in operating systems and firmware and how quickly they are patched.

The new requirements include that applying and confirming that patches have been applied is all handled by an automated system.

Other changes include:

  • Requirements to regularly review privileged accounts and access
  • An entirely new section on backups and restores
  • Advice on separating data flows in cross domain solutions

Also of note in the new ISM is a security control that appears to place a dampener on just how far up the government information stack that cloud players like AWS and Microsoft might be allowed to go.

The approval of Azure to handle protected level information this year caused the government and Microsoft some grief as a new series of security controls had to be defined for the purpose.

The ISM puts a limit on how far public cloud can go.

“If using outsourced cloud services for highly classified information, public clouds are not used,” is stipulated as a new security control with a “must” priority.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
acscautomatedbrowserflashgovernmenthardeninginformation security manualismmacrospatchingsecurityupdate

Partner Content

Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Promoted Content Accenture and Google Cloud team up to create a loveable, Australian-first, renewable energy product
Why Genworth Australia embraced low-code software development
Promoted Content Why Genworth Australia embraced low-code software development
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like

Sponsored Whitepapers

Extracting the value of data using Unified Observability
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership

Events

  • Micro Focus Information Management & Governance (IM&G) Forum 2022
  • CRN Channel Meets: CyberSecurity Live Event
  • IoT Insights: Secure By Design for manufacturing
  • Cyber Security for Government Summit
By Ry Crozier
Dec 4 2018
8:41AM
0 Comments

Related Articles

  • Tech giants say gov cyber incident intervention powers 'unworkable'
  • Don't remove PowerShell: US, UK and NZ security agencies
  • Albanese elevates cyber security with new standalone minister
  • Researchers find APT campaigns share known vulnerabilities
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Qantas calls time on IBM, Fujitsu in tech modernisation

Qantas calls time on IBM, Fujitsu in tech modernisation

Service NSW hits digital services goal two years early

Service NSW hits digital services goal two years early

NBN Co taking orders for 'non-premises' connections

NBN Co taking orders for 'non-premises' connections

NSW Police scores $100m to connect body-cams to firearms, tasers

NSW Police scores $100m to connect body-cams to firearms, tasers

Digital Nation

IBM global chief data officer on the rise of the number crunchers
IBM global chief data officer on the rise of the number crunchers
COVER STORY: Operationalising net zero through the power of IoT
COVER STORY: Operationalising net zero through the power of IoT
Crypto experts optimistic about future of Bitcoin: Block
Crypto experts optimistic about future of Bitcoin: Block
The security threat of quantum computing
The security threat of quantum computing
Integrity, ethics and board decisions in the digital age
Integrity, ethics and board decisions in the digital age
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.