Australian DoD's Top 35 Mitigation Strategies for 2011

JDMurrayJDMurray Admin Posts: 13,082 Admin
If you are looking for defensive talking points for your next InfoSec presentation, here is the 2011 Top 35 Mitigation Strategies recommended by the DSD Defence Signals Directorate of the Australian Department of Defense.

From the article:

At least 85% of the targeted cyber intrusions that the Defense Signals Directorate (DSD) responded to in 2010 could have been prevented by following the first four mitigation strategies listed in our Top 35 Mitigation Strategies:
  • Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
  • Patch operating system vulnerabilities.
  • Minimise the number of users with administrative privileges.
  • Use application whitelisting to help prevent malicious software and other unapproved programs from running.
The Top 35 Mitigation Strategies are ranked in order of overall effectiveness. Rankings are based on DSD’s analysis of reported security incidents and vulnerabilities detected by DSD in testing the security of Australian Government networks.

Comments

  • it_consultantit_consultant Member Posts: 1,903
    These are surprisingly similar to Microsoft's INFOSEC strategies. One day people will realize that normally technology is not the unsecure component, its the users.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    That list of problems you quoted is shockingly obvious. icon_sad.gif
  • JDMurrayJDMurray Admin Posts: 13,082 Admin
    That list of problems you quoted is shockingly obvious. icon_sad.gif
    Yes, there's nothing new on it. It's simply Australia's assessment of needed security measures based on their own recent history of cyber incidents. It figures that all high-tech Western countries are using the same hardware, software, and configurations, so they share the same vulnerabilities.
  • mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
    I never fully understand these type of articles. Keeping upto date with MS patches is as obvious as tying your shoelaces so you don't trip over them. It defies logic that an entity like the DOD isn't systematically performing updates.

    The first point got me thinking though. I don't think I've come across a company that has a policy for keeping non-MS applications up-to-date. I just chatted with the SOE team who mentioned SCUP for this purpose. How do you guys handle the patching of Adobe Reader, Flash, Java, Firefox, etc.
  • pzeropzero Member Posts: 192
    mikedisd2 wrote: »
    I never fully understand these type of articles. Keeping upto date with MS patches is as obvious as tying your shoelaces so you don't trip over them. It defies logic that an entity like the DOD isn't systematically performing updates.

    The first point got me thinking though. I don't think I've come across a company that has a policy for keeping non-MS applications up-to-date. I just chatted with the SOE team who mentioned SCUP for this purpose. How do you guys handle the patching of Adobe Reader, Flash, Java, Firefox, etc.

    Enterprise solutions like Altiris, CA etc have the ability to keep 3rd party apps up to date. If you dont have something like that you need to rely on manually downloading and using something like AD/GPO or manually scripting it.
  • JDMurrayJDMurray Admin Posts: 13,082 Admin
    The thing is that patches can't be applied to an enterprise network with tens-of-thousands of nodes without testing the patch first. Pushing app patches that end up causing conflicts with other apps, or cause an app itself to malfunction, can be disastrous to the operation of a network. Therefore, the delay in distributing patches is due to the pre-deployment testing and verification cycle.
Sign In or Register to comment.