The week in security: Government departments given infosec guidance as cloud threatens security workers

A set of concrete guidelines for government digital service delivery marked the first deliverables from the fledgling Digital Transformation Office (DTO), with mandatory compliance with the 36-element Protective Security Policy Framework among the security-related regulations agencies must now follow.

Such guidelines are designed to help government agencies avoid the kind of dramas that hit Linux promotion body Linux Australia, which was hit by hackers that, the organisation admitted, may have stolen the database used to manage its annual conferences.

Yet some government agencies were doing their own data collection, as revelations emerged that the US Drug Enforcement Administration and Department of Justice had been bulk-archiving records of phone conversations since 1992. That's a world away from the other government news of the week – including a report that said Russian hackers had accessed White House email, and a US FBI warning that Web defacements were using the name of terror group ISIS to raise their profile.

Your smartphone may soon replace your keychain for providing access to secure facilities. It uses a cloud-based security service of the type that has rapidly become popular for configuring remote online devices – and is, the founders of startup Soha Systems believe, is going to make cloud security the next big thing.

Microsoft is doing its best to facilitate the cloud transition, with proactive efforts to sell users on the security and cloud benefits of upgrading aging Windows Server 2003 installations that will reach their end of life in July. As if to remind us of the dangers of relying on out-of-date operating systems, a report revealed that hackers had used malware attacks to steal €1.23 million ($A1.71m) from automatic teller machines that are still running Windows XP.

Even as SingTel threw its hat into the cloud-security ring, some were worrying that the cloud could also put many security workers out of jobs, although Deloitte was posting one for the workers by running a mock cyberattack designed to help staff understand their role in the response; the move was in line with recommendations from HP, which is advising customers to focus on staff security education instead of investing in new security technologies.

With many Internet of Things (IoT) devices found to be insecure by design, however, there may be some who are concerned about the rush to connect home devices of all sorts to the Internet – especially since even one organisation's compromised endpoint can be a conduit for attacks on others.

Little wonder that CISOs argue that security should be viewed as a business enabler rather than an innovation bottleneck. Malware writers certainly aren't stemming their innovation: a report from Websense Security Labs suggested that today's threats are increasingly sophisticated compared with those detected last year.

One analysis blamed the rapidly growing prevalence of Web-exploit kits. Even the police are getting tricked, with one Massachusetts police department forking over $US500 to unlock files that were encrypted in a CryptoLocker infection. French TV broadcaster TV5Monde was taken off the air after Islamist hackers scored a direct hit – then made things worse by broadcasting an internal shot that appeared to reveal social-media logins and passwords – while the police scored a retaliatory strike by disrupting the Beebone malware-distribution botnet.

Firefox's move to encrypt many types of unencrypted data was welcomed by security experts, but encryption has its problems too: Gmail service was interrupted for some users after Google forgot to renew a crucial digital certificate. Also from the Oops! file, a Dell support tool that was previously found to suffer from security vulnerabilities is now being picked up by security scanners as a potentially problematic application.

The UK government's mass-spying practices were challenged at a European human rights court, while German authorities ordered Google to change its privacy practices – over concerns that probably weren't allayed after a mistake by a Bulgarian Google Ad reseller saw users redirected to malicious ads that tried to install malware on users' systems. Meanwhile, encryption startup Vera had its own take on privacy with a service that locks down transferred documents.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Security Policy FrameworkDigital Transformation Office (DTO)Cryptolockercloud threatenIT SecurityCyberattackmalware attacksFirefoxinfosecMicrosoftsecurity workersSoha SystemsLinux AustraliaInternet of Things (IoT)government departmentsCSO Australia

More about CSODellDeloitteDepartment of JusticeEnex TestLabFBIGoogleHPLinuxMicrosoftWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts