By Daryl Haines, security principal, Pure Hacking
Cyberattacks are a fact of life for Australian business. According to CERT Australia, there were 11,733 cyberattack incidences affecting Australian business in 2014-15, and of those, 218 involved systems of national interest and critical infrastructure.
So what can you do prevent an attack and not become another statistic?
A good way to look at it is to engage the Pareto Principle, also known as the 80/20 rule, which states that--for many events--roughly 80 per cent of the affects come from 20 per cent of the causes.
The Australian Signals Directorate (ASD), formerly known as the Defence Signals Directorate (DSD), found this to be true when it looked at security incidents it had investigated, as well as the results from vulnerability assessments and penetration testing.
The ASD came up with a list of the top 35 security strategies that can mitigate most cyber intrusions, and found that just four of these strategies would have mitigated at least 85 per cent of the intrusions the ASD responded to. It now refers to these as the ASD Top 4 Mitigation Strategies to Protect Your ICT Systems.
According to the ASD the Top Four strategies are:
- Use application whitelisting to help prevent malicious software and unapproved programs from running
- Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- Patch operating system vulnerabilities
- Restrict administrative privileges to operating systems and applications based on user duties
Recent research from security vendor Avecto took this one step further and found that just one control - removing administration rights from users--would have mitigated 80 per cent of the Microsoft vulnerabilities reported over the past year. When you narrow this down to Microsoft vulnerabilities rated as Critical, the figure rises to 97 per cent.
It’s clear then that some controls are more significant than others, and a good security program would prioritise those controls that have the greatest effect.
It makes sense from a risk perspective, and it also makes sense when considering return on investment (RoI). On this point the ASD has also provided useful guidance, giving each of the Top 35 Security Strategies ratings based on key criteria such as the cost of implementation and maintenance, user resistance to the control being implemented, as well as the ability to both detect and prevent intrusions.
The ASD Top 35 is a great reference point for any organisations that wish to assess their risk of cyber-intrusion.
ABOUT DARYL HAINES
Daryl Haines is principal consultant - Governance, Risk & Compliance at Pure Hacking. With over 15 years’ experience, he is an expert in security governance, risk and compliance specialising in ISO 27001 Information Security Management and Payment Card Industry Data Security Standard (PCI DSS) compliance.