Did you know that in 2010 Australia created the Cyber Security Centre to monitor and test technology to reduce cyber-attacks and crimes?
In its monitoring, the CSC has detected that in 2012 the rate of attacks increased by 41% and in the following year continued to increase at 21%.
Did you also know that the Australian government has made it mandatory for all government agencies to follow the top four mitigation strategies, as they have been shown to stop 85% of attacks, as of April 2013?
The government’s principle is that prevention is better than a cure.
In testing labs, the CSC found that machines covered by the top four strategies alone were able to resist the thousands of attacks that they were subjected to under test conditions.
So the question I ask you is: Are your systems following the same four risk mitigation strategies? Are your IT people on their toes and delivering this kind of control to your business networks?
The top four strategies outlined by the Cyber Security Centre can be found here. My summary of them follows:
1. Application whitelisting
This provides a list of applications that are safe to install and blocks others such as malware from being executed on each PC. Your IT people can implement this through the selection and management of an appropriate tool. There is a considerable amount of work to do to implement this as it is important to understand the applications the organisation is using before the lockdown is applied.
2. Patch applications
Application vendors regularly publish updates to their code to close any vulnerabilities that have been discovered. Microsoft is famous for their “patch Tuesday” when they send out updates to their common tools to reduce the vulnerabilities in their code. In some cases ongoing subscriptions or updates will be required to ensure your version of the code is still being patched.
3. Patch operating systems
This is similar to patching applications and it depends on the vendors releasing patches to new vulnerabilities discovered. In the case of Windows XP, this service is no longer available and in the case of Microsoft Windows 2003 Server the service will end in July 2015. It is important to upgrade these systems before the patching finishes, it is also important to roll out the patches as they are made available. If your IT people are not managing this process your servers are at risk.
4. Restrict administrative privileges
This may seem obvious but keeping people out of your systems will reduce the potential attack vectors that can be used. It also stops malware taking advantage of administrative rights to spread itself through PCs and across networks. Again this will take some time to implement as some applications already in use will require administrative rights to run and use of some peripheral devices can require administrative rights as well. Finding out what needs access and setting it up to work will take testing before rolling out the solution and crippling staff use of IT systems.
There are 35 strategies outlined in the briefing paper, many of them are quite achievable, some more complex: From enforcing complex passwords to web and email filtering to denying direct internet access from PCs.
In government, only the first four are mandatory. Just to show that this forward-thinking piece of work has dated since it was last updated in February 2014, it does not yet include encryption of data in transit, in use and at rest.
This technology has only just emerged to meet a need that has arisen with cloud services. My point here is that security in IT is a fast-moving environment that needs to be continuously managed in all organisations, not just government.
Today there are plenty of capable companies offering managed IT services that deliver many of these 35 strategies for you in a seamless manner. The good ones will give you options on how far you wish to go, which of course will depend on your business requirements for security and risk mitigation offset against your budget and appetite for disruption to work practices.
If you suspect your systems are not at the risk mitigation level they should be, seek expert assistance. It is likely to be much cheaper than rectification after an attack.
David Markus is the founder of Combo – the IT services company that is known for solving business problems with IT. How can we help?