DSD re-ranks security strategies to mitigate intrusions

The Defence Signals Directorate has updated its list of 35 mitigation strategies to protect against cyber intrusions, reflecting what measures are more or less effective this year, compared to last.

The Australian Defence Signals Directorate (DSD) has updated its top 35 strategies to mitigate targeted cyber intrusions. The top four positions have remained relatively the same, but several others have been re-ranked to reflect their effectiveness.

Rounding out the top four in order of effectiveness are application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights.

DSD rated the security effectiveness of these four measures as "essential" and said that, of the intrusions it responded to last year, 85 percent of the intrusions could have been mitigated had these top four strategies been followed.

This figure could also rise, with the strategies document recommending that once organisations have implemented the top four strategies, additional mitigation strategies can be used to address any additional security gaps.

However, while the top four measures have remained relatively the same, the effectiveness of several other measures have changed in the past year.

Compared to last year, host-based intrusion detection/prevention systems (IDS/IPS) fell six places in ranked effectiveness, now sitting at 11th place from 5th.

Likewise, defences against email were seen to be less effective — whitelisting emails based on their content dropped from 6th place to 14th, blocking spoofed emails dropped from 7th to 19th place, and even educating users not to respond to socially engineered emails dropped from 8th to 20th place.

The five least effective measures, while still providing average security effectiveness, remained the same as 2011. These were recommendations to disable LanMan passphrase support; block attempts to access websites by IP address (in order to force adversaries to obtain a domain name); use signature- and heuristic-based network IDS/IPS measures; block access to malicious domains and IP at the gateway level; and implement post-incident network capture measures, such as storing network traffic for seven days.

Several measures that had significant rises in effectiveness this year include implementing multi-factor authentication, implementing non-persistent virtual environments for risky activities, and implementing application-based software firewalls on endpoints.

The complete list of mitigation strategies is available from DSD (PDF).