Australia's Defence Signals Directorate (DSD) has won the 2011 US National Cybersecurity Innovation Award for identifying four simple security controls that can prevent 85 percent of targeted intrusions.
DSD is responsible for protecting Australia's government networks, both civilian and military. A team led by Steve Mcleod and Chris Brookes studied all known targeted intrusions against government systems to see what would have stopped them spreading.
While they identified 35 controls that would be valuable and provided detailed explanations, these four specific controls, alone, must be implemented if organisations are to have any hope of defending their systems:
- Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
- Patch operating system vulnerabilities.
- Minimise the number of users with administrative privileges.
- Use application whitelisting to help prevent malicious software and other unapproved programs from running.
"The cost of implementing these four controls is a tiny fraction of the cost of implementing the average US federal government agency cybersecurity program," wrote the SANS Institute in a media release announcing the win.
"Since the impact of this low-cost approach is much better security than what US agencies are experiencing, the Australian innovation changes the game."
In agencies that have implemented these controls, the spread of targeted attacks is no longer a significant problem.
"Although these controls will not stop the most sophisticated attackers, they do stop the targeted attackers with medium and low sophistication, the ones that cause the greatest amount of information loss," SANS wrote.
SANS congratulated defence secretary Dr Ian Watt for his "extraordinary leadership" in advocating that all cabinet agencies implement the four controls (nicknamed the "sweet spot") and making sure they were doing it.
"This is a great way for security people to become security heroes," said Alan Paller, director of research at the SANS Institute.
"Auditors who are not checking for these four being fully implemented should refund their salaries because they are looking at the wrong things."
Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian