Well the DSD has recently updated their advice based on their analysis of reported security incidents and vulnerabilities detected by DSD in testing the security of Australian Government networks in 2010. The great news is that plenty of these strategies can be easily adopted by small and medium businesses (SMBs).
80-20 rule reigns supreme
DSD says that 85% of the incidents they responded to in 2010 could have been prevented by following the first four mitigation strategies listed in their Top 35 Mitigation Strategies for 2011:
- Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.
- Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.
- Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
- Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.
Regular readers of AVG’s security advice might recognise the top 3 items. We constantly mention them. Best of all, they’re not too difficult for small and medium businesses (SMBs) to implement. Though strangely enough, large enterprises, with all of the top resources available to them, often struggle with these basic security measures.
Changes from 2010 to 2011
Interestingly, the DSD’s analysis released back in 2010 suggested that at least 70% of the targeted cyber intrusions that the DSD responded to in 2009 could have been repelled by the same first four strategies. This would seem to confirm that would be cyber intruders were looking for more bang-for-buck in 2010, rather than using more sophisticated attacks.
It’s also interesting to note that the top 2 strategies switched position in the DSD recommendations from 2010 to 2011. This backs up what we’ve been saying about the bad guys moving more of their focus to vulnerabilities in common utilities and application in 2010.
What should an SMB make of all of this?
SMBs need to make it a priority to address the top four mitigation strategies. This can be achieved gradually, starting with computers used by the employees most likely to be targeted by intrusions, and eventually extending them to all users.
Once this is achieved, you can selectively implement additional mitigation strategies based on the risk to your business information and operations. Other items in the Top 35 worthwhile for an SMB to also consider include:
- #5 – Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and call hooking.
- #6 – Whitelisted email content filtering allowing only attachment types required for business functionality.
- #9 – Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings and other heuristics, and whitelisting allowed types of web content.
- #12 – Workstation inspection of Microsoft Office files for abnormalities
- #13 – Application based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorised incoming network traffic.
- #14 – Application based workstation firewall, configured to deny traffic by default, that whitelists which applications are allowed to generate outgoing network traffic.
- #21 – Antivirus software with up to date signatures, reputation ratings and other heuristic detection capabilities.
And the good news is that installing AVG Internet Security Business Edition to protect your workstations and servers will enable you to easily achieve all of these key items! What are you waiting for?
Please check out the full list of 35 Strategies to Mitigate Targeted Cyber Intrusions.